INTERNAL CONTROLS 


Guidance for Private, Government, 
AND NONPROFIT EnTITIES 

Lynford Graham, CPA, PhD, CFE 


18 0 7 

©WILEY 


2 0 0 7 


John Wiley & Sons, Inc. 



INTERNAL CONTROLS 


Guidance for Private, Government, 
AND NONPROFIT EnTITIES 

Lynford Graham, CPA, PhD, CFE 


18 0 7 

©WILEY 


2 0 0 7 


John Wiley & Sons, Inc. 


This book is printed on acid-free paper.® 

Copyright © 2008 by John Wiley & Sons, Inc. Ail rights reserved. 

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. 

Published simultaneously in Canada. 

Wiley Bicentennial Logo: Richard J. Pacifico 

No part of this publication may be reproduced, stored in a retrieval System, or transmitted in any form 
or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as 
permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior 
written permission of the Ihiblisher, or authorization through payment of the appropriate per-copy fee to 
the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 
978-646-8600, or on the web at www.copyright.com. Requests to the Ihiblisher for permission should be 
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 
07030, 201 748-6011, fax 201 748-6008, or online at http://www.wiely.com/go/permissions. 

Limit of Liability/Disclaimer of Warranty: While the publisher and author hâve used their best efforts in 
preparing this book, they make no représentations or warranties with respect to the accuracy or 
completeness of the contents of this book and specifically disclaim any implied warranties of 
merchantability or fitness for a particular purpose. No warranty may be created or extended by sales 
représentatives or written sales materials. The advice and strategies contained herein may not be suitable 
for your situation. You should consult with a professional where appropriate. Neither the publisher nor 
author shall be liable for any loss of profit or any other commercial damages, including but not limited 
to spécial, incidental, consequential, or other damages. 

For general information on our other products and services please contact our Customer Care 
Department within the United States at 877-762-2974, outside the United States at 317-572-3993 or 
fax 317-572-4002. 

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may 
not be available in electronic books. 

For more information about Wiley products, visit our Web site at http://www.wiley.com. 

Library of Congress Cataloging-in-Publication Data: 

Graham, Lynford. 

Internai Controls : guidance for private, govemment, and nonprofit entities / Lynford Graham. 
p. cm. 

ISBN 978-0-470-08948-4 (cloth) 

1. Auditing, Internai. 2. Managerial accounting. I. Title. 

HF5668.25.G724 2008 
658.15' 1 — dc22 

2007020133 


Printed in the United States of America. 


10 98765432 


About the Author 


LYNFORD GRAHAM CPA, PhD, CFE 

Lynford Graham is a Certified Public Accountant with more than 25 years of 
public accounting expérience in audit practice and in national policy devel- 
opment groups. He is currently a consultant on professional accounting and 
auditing matters and an author. 

Dr. Graham is a member of the American Institute of Certified Public 
Accountants (AICPA), and a recent past member of the Auditing Standards 
Board. He chaired the AICPA’ s Audit Risk Guide Task Force (“Assessing and 
Responding to Audit Risk in a Financial Statement Audit”) and was the U.S. 
représentative to the International Auditing and Assurance Standards Board 
(IAASB) Materiality Task Force (ISA 320 and 450). He previously served as 
a member of the AICPA’ s Materiality and Audit Risk Task Force (SAS 47); 
was a founding member of the AICPA’ s Information Technology Section, 
serving on its Executive Committee; and was a member of the AICPA’ s Sta- 
tistical Sampling Subcommittee during the development of SAS 39 on Audit 
Sampling. He drafted the 2007 révision of the AICPA Audit Guide, Audit 
Sampling . Previously he chaired the Educator-Practitioner Case Development 
Task Force for the annual AICPA Education Conférence and served on the 
Executive Committee of the Pre-Certification Education Committee. 

He is a former partner and the national director of audit policy for BDO 
Seidman, LLP. There Dr. Graham was responsible for the development and 
implémentation of audit policy and software, as well as Assurance Services 
Leaming and Education programs, and was the firm’s sampling coordinator. 
He served on several international BDO Seidman task forces developing audit 
software, audit methodology, sampling approaches, and audit automation 
techniques. Dr. Graham was responsible for BDO Seidman’ s implémenta- 
tion of audits of internai control under PCAOB AS 2 and participated with 
professional groups in developing industry-wide guidance on audits of inter- 
nai control. Prior to joining BDO Seidman LLP, Dr. Graham was an associate 
professor of accounting and information Systems and a graduate faculty fel- 
low at Rutgers University in Newark, New Jersey, where he taught primarily 


ABOUT THE AUTHOR 


financial accounting courses. Prior to joining Rutgers, he was a national 
accounting & SEC Consulting partner for Coopers & Lybrand, responsible 
for their technical issues research fonction and database, auditing research, 
and sampling techniques. 

A Certified Fraud Examiner and a member of the Association of Certified 
Fraud Examiners, Dr. Graham has provided Consulting guidance on matters 
of internai control and statistical and audit methods, including inventory sam- 
pling problems, fraud investigations, litigation Consulting, cost reimbursement 
studies and loan reviews. He has also worked with a variety of govemment 
agencies on the development and implémentation of audit régulations. 

Throughout his career he has maintained an active profile in the academie 
as well as the business community. A member of the American Accounting 
Association (AAA), he served as vice chairman of the Auditing Section and 
as a member of numerous committees and task forces. Dr. Graham had a 
leadership rôle in the development of Coopers & Lybrand’ s award winning 
“Excellence in Audit Education” materials, widely used in university audit 
courses in the 1990s. He is the past auditing section chair for the Mid-Atlantic 
Section of the AAA. In 2002 he received the Distinguished Service Award of 
the Auditing Section of the AAA. His numerous academie and business publi- 
cations span a variety of topical areas, including information Systems, internai 
Controls, expert Systems, audit risk, audit planning, fraud, sampling, analytical 
procedures, audit judgment, and international accounting and auditing. 

Dr. Graham holds an MBA in Industrial Management and a PhD in Busi- 
ness and Applied Economies, both from the University of Pennsylvania 
(Wharton School). 

He is also coeditor of the Accountant’s Handbook llth Edition (John Wiley 
& Sons, 2007) as well as coauthor or editor of many other audit and account- 
ing books and publications. 


Contents 


Préfacé vii 

1 An Introduction 1 

2 First Steps: A Pilot Project 9 

3 The Five Components of the Controls Framework 27 

Appendix 3A Blue Ribbon Committee on Improving 
the Effectiveness of Corporate Audit Committees 69 

4 Documenting Internai Controls Using a Framework 71 

Appendix 4A Sample Control Objectives for Major 
Cycles 86 

5 Setting the Scope of Your Documentation Project: 

Identifying the Core 99 

6 Establishing a Basis for Controls Effectiveness: 

Testing Controls 109 

Appendix 6A Sample Size Tutorial 124 

Appendix 6B Conducting Interviews: Gathering 

Internai Control Information 128 

7 Assessing Design Effectiveness and Operating 

Effectiveness 137 

Appendix 7 A A Framework for Evaluating Control 
Exceptions and Deficiencies 160 

8 Fraud Risks and Entity Self-Defense 1 79 


CONTENTS 


Appendix 8A Management Antifraud Programs 

and Controls: An Elément of The Control Environment 193 


Appendix Instructions for the Controls Design 

Assessment Case Study 21 9 

Part 1 Narrative of Controls Design 223 

Contribution to Cash Cycle Template — CCS 225 

Part 2 Contribution to Cash Cycle with Control 

Procedures — CCS 229 

Part 3 Contribution to Cash Cycle — Completed — CCS 233 

Index 239 


PREFACE 


A mountain of words has been written about internai Controls and fraud 
following the révélations at the tum of this new century regarding Enron, 
WorldCom, Tyco, Global Crossings, and others. Nevertheless, it is hard for 
many smaller, nonpublic entities to relate to these happenings, since they 
do not form subsidiaries to keep transactions off the face of their financial 
statements, use stock options to compensate executives “silently,” or design 
compensation and incentive packages that seem sufficient to finance an empire 
but are immaterial to the overall business. 

However, the issue of internai Controls and fraud does affect each and 
every business and organization, from the smallest to the largest, from the 
Women’ s Club to family businesses to the large private enterprise with many 
branches and international subsidiaries. Wherever an owner values the entity 
that he or she has worked to develop or has pride in the service and mission 
of their not-for-profit, the value of giving some attention to internai Controls 
exists. 

This book was written to address the need of entities and their auditors to 
understand practical internai Controls principles design and implémentation 
issues, not necessarily just the requirements of reporting on internai Controls 
due to régulation or public company législation, such as the Sarbanes-Oxley 
Act of 2002 (SOX). Nevertheless, we should not dismiss the importance of 
that législation and what it can teach us about the éléments and importance 
of Controls. There are lessons in Sarbanes-Oxley for ail of us. 

Beginning in 2007, private companies, not-for-profit entities, and govem- 
ments that préparé audited financial statements will be receiving a doser 
scrutiny of their internai Controls by their auditors. Identified gaps in Con- 
trols design and findings that Controls are not working effectively require 
the auditor to préparé a written communication of these matters to manage- 
ment and those charged with govemance, such as a board or committee with 
oversight responsibility. Many more control issues will be identified in the 
future than hâve been identified in the past. Common organizational control 
gaps in smaller entities include the lack of Controls documentation, the lack 
of accounting expertise, and the inability to properly accrue for expenses 


vii 


PREFACE 


and préparé financial statements. More and more oversight groups, private 
equity lenders, bankers, and regulators are asking that these communications 
be made explicitly and are asking that they be informed of such issues. For 
many of these entities, it is simply a matter of self-protection. They need 
to know if such risks exist, so they can décidé how to address them. The 
management and the auditors of failed organizations are often challenged 
as to why such information was not shared on a timely basis. Oral com- 
munications are quickly forgotten. Such information, clearly articulated and 
communicated, might hâve signaled the condition leading to the business 
failure and led to remédiai actions. 

This book will expand your understanding internai Controls, the use of a 
framework like COSO from which to understand and assess Controls, and 
common internai control problems. Based on the observations and 25 -plus 
years of practical expérience of the author, it will provide cost-effective sug- 
gestions for mitigating or remediating these common problems. 

Private companies and their auditors will benefit from an increased aware- 
ness of how internai Controls can improve operations and expand profits, 
and provide more time for management to attend to important matters, such 
as growing the business. Not-for-profit entities will better understand how 
they can fulfill their mission statements and protect themselves against the 
scandais that hâve affected (and sometimes destroyed) others. Government 
entities will benefit from practical ideas that will help them demonstrate their 
stewardship of funds in meeting their mission and mitigate the risk of fraud 
and waste so common in environments where Controls are an afterthought. 
And yes, public company auditors, internai auditors, and management can 
benefit from the information and tools presented in this book in their mis- 
sion of compliance with the changing rules in their regulated environment. 
While the spécifie rules and requirements in that environment are subject 
to change, the fondamental principles of Controls and best practices should 
endure. 

Auditors may also find the content here to be instructive as they develop 
a more robust understanding of the internai control framework and gather an 
appréciation of what they need to do versus what audited entities are expected 
to do under the new auditing standards. When asides in the book are directed 
to auditors, these comments are generally marked in a box. 

While I do not intend to bludgeon the reader with SOX discussions, the 
rich environment that came from the implémentation of the requirements 
for accelerated filer public companies to report on internai Controls in 2004 


PREFACE 


make it instructive to borrow some observations from that process. Readers 
required to comply with Public Company Accounting Oversight Board report- 
ing requirements on internai control will need to consult Auditing Standard 
No. 5 and may need also to consult with other materials and SEC guidance 
focused on the SOX requirements. 



— 1 — 

An Introduction 


BUT HOW DOES ALL THAÏ RELATE TO ME? 

There has been so much press lately about the required public company 
reporting of internai Controls that some people believe that internai Controls 
pertain only to public companies. That is a misperception, since this issue 
has been and will continue to be relevant for ail enterprises. Writings in the 
auditing literature that predate the birth of ail the potential readers of this 
work address issues of internai control. And, after ail, how would Scrooge 
and Marley in Charles Dickens’ s A Christmas Carol hâve prevailed in taking 
ownership of the business had there not been a “discrepancy in the accounts”? 
The issues here transcend time and cultures. The myth has also developed 
that internai Controls hâve to be expensive and complicated. That argument 
is perhaps more a conséquence of the semichaotic 2004 public company 
implémentations of internai control reporting requirements than the true costs 
of implementing effective internai Controls themselves. This topic is discussed 
more at the end of this chapter. 

Of course, designing and implementing an iron-clad System of Controls 
might be a very expensive proposition. Ian Fleming’ s (James Bond) Goldfin- 
ger dreamed of penetrating Fort Knox, but most businesses are not likely 
to yield such a large reward worthy of such a complicated effort. And in a 
business where the doors are wide open to ail who choose to enter and create 
mischief, such extremes are not necessary. Many who choose to take advan- 
tage do so because it is easy and because we business owners and managers 
make it so easy for them to do so. 

Let’s speak facts. A 2006 published survey on fraud, published by the 
Association of Certified Fraud Examiners (ACFE), noted some statistics about 


INTRODUCTION 


reported frauds. 1 A couple may be surprising. The médian (médian means 
middle, with half the reported amounts above this number and half below) 
reported fraud for entities of less than 100 employées was $190,000. For pri- 
vate companies, the number was pegged at $210,000. I also find it surprising 
that the number for public companies is $200,000, given the size of these 
entities and the fact that these companies make public reports. The fact that 
the numbers are so large for the smaller, private entities may be a reflection 
on the weaker control environments that often exist there. How many small 
businesses can sustain frauds of $190,000? 

How many businesses hâve failed because of undetected frauds that hâve 
robbed them of the working capital to continue in business? In one family 
business I am familiar with, a nephew was taken into the business and put 
in charge of the books since the owner-uncle did not hâve computer literacy 
and the business had grown to need better records. The nephew perpetrated 
a skimming scam, redirecting certain deposit streams of cash to his Per- 
sonal accounts and not deposited with the business. Soon, when customers 
demanded their deposits back, the business was short of cash. The ultimate 
resuit was bankruptcy. The situation was almost inexplicable to the aged 
businessman, whose health and ability to cope failed almost in tandem to the 
business. True, there was no auditor or third party watching over the process, 
but the lack of any observable accounting and cash Controls or interest in 
such mundane matters from within the business made the nephew’ s malfea- 
sance possible. Once it was clear that such control matters were not important 
to management, the door was wide open. There was no happy ending here, 
except for the nephew, who has moved on to more profitable opportunities. 
He may now work for you. 

Not-for-profits hâve been shaken by widely publicized cases of misdirected 
funds, such as at the American Red Cross and the United Way of National 
Capital Area. Most recently the allégations of fraud and waste regarding 
monies paid on daims of damage due to Hurricane Katrina in the Gulf 
région hâve lessened sympathies for the victims of this tragedy. Such an 
environment sours voluntary contributors. No spécifie estimate is available of 
the contributions lost, and that continue to be lost annually, when individuals 
and corporations place their contribution dollars elsewhere. Not-for-profit 
boards are seeking more information about internai Controls and strengthening 
their processes in order to protect themselves from personal risk and their 


1. Association of Certified Fraud Examiners, 2006 ACFE Report to the Nation on Occupational 
Fraud and Abuse (ACFE, 2006). 


WE ARE ALL IN THIS TOGETHER 


organizations from risks. It is becoming increasingly harder to recruit and 
retain qualified directors to such positions, particularly when Controls are 
found to be lax. 

Issues relating to government waste and corruption are legendary, but the 
ACFE survey does not report the government as being the most vulnérable 
group. The survey notes that the médian reported fraud for government enti- 
ties was $100,000. This does not mean that this issue is less important for 
these entities, but the many audit programs and instituted Controls in some 
government environments and agencies hâve lessened the number of pro- 
grams that today are open to abuse. Or perhaps many of the sources of abuse 
hâve just not been detected or reported. Nevertheless, government entities 
pushed hard with the Auditing Standards Board to enact more spécifie stan- 
dards requiring auditors to assess Controls design and implémentation and 
report to management and govemance boards on significant deficiencies and 
material weaknesses on every audit. 2 

WE ARE ALL IN THIS TOGETHER 

Try to think of an entity that has no relationship to anyone or anything else. 
Were you successful? Probably not. As long as an entity (of whatever form or 
description) touches third parties that rely on its financial viability, then the 
distinction of “nonpublic” entity is really not a valid one. Private companies 
hâve suppliers and creditors and customers who rely on them. Employées 
also are dépendent on the financial viability of the entities. Entities that do 
not manage or control their affairs might be successful, but there are few 
examples to share. In a compétitive environment, forces usually favor the 
businesses that understand and manage their risks, hâve a culture of integrity 
and honesty, and place financial Controls over the receipt and disbursement 
of funds. Companies, auditors, government entities, and not-for-profits are 
ail subject to the risks of poor Controls: significant losses can cause small 
businesses to close, donors to drop charities, and taxpayers to revoit because 
their monies are being squandered. 

Starting in 2007, a required step in the audit of companies that seek inde- 
pendent opinions regarding their financial statements is for the independent 


2. The Auditing Standards Board is a committee of the American Institute of Certified Public 
Accountants charged with the development of auditing standards for audits of non-public compa- 
nies. Prior to 2003, the AICPA issued auditing standards that applied to both public and private 
companies. In 2003, the Public Company Accounting Standards Board announced it would adopt 
the existing AICPA standards as intérim standards but would issue its own standards for public 
companies in the future. 


INTRODUCTION 


auditor to assess the adequacy of the companies’ Controls design and implé- 
mentation . 3 If company Controls are found lacking, management and those 
charged with govemance will receive a communication outlining the sig- 
nificant deficiencies and material weaknesses identified. I will discuss this 
in more depth later. Here it is important to note that auditors will need to 
communicate a lack of company documentation of Controls and procedures . 4 

The rationale in clarifying this requirement is that so many business- 
threatening issues are able to be foreseen, but just do not seem to get man- 
agement’ s attention, it is a good practice to put in writing issues or conditions 
that management needs to be aware of that could threaten the business. Also, 
memories also are short. Regardless of the oral communications and nodding 
acceptance of management to heed the advice of its advisors, there is no 
substitute for a written communication focusing on issues. 

SO WHAT IS ALL THIS FUSS ABOUT COSTS? 

Let’s discuss this very public debate on costs a bit more. 

The protestations of smaller public entities that the régulations and audit- 
ing rules under the Sarbanes-Oxley Act of 2002 (SOX) are prohibitively 
expensive hâve caused officiais to reconsider those requirements and ease 
their punitive nature. The rules and régulations set down for companies by 
the Securities and Exchange Commission (SEC) and for auditors by the Pub- 
lic Company Accounting Oversight Board (PCAOB) do not change the basic 
principles of effective internai Controls, only the mechanisms to test and report 
on such conditions. Whether a control or business process is tested 50 times, 
20 times, or once every several years (when Controls do not change) does not 
mean a control is more or less effective, but such testing requirements define 
the amount of evidence necessary to meet professional standards for report- 
ing on such matters and affect the costs of such an exercise. Many of the 
costs that these companies are now concemed about are tied up in a number 
of regulatory and reporting matters that do not apply outside of the public 
company arena, and should not be extrapolated to the non-public company 
marketplace. The implémentation of internai control reporting in 2004 was 
marked by very distinct issues that do not necessarily apply to businesses 
that are seeking a more effective Controls environment. For example, spécifie 
to the 2004 time frame: 


3. SAS No. 109, Understanding the Entity and its Environment and Assessing the Risks of Material 
Misstatement. AICPA (1995) 

4. SAS No. 112, Communicating Internai Control Matters Identified in an Audit. AICPA (1995) 


SO WHAT IS ALL THIS FUSS ABOUT COSTS? 


• The SEC provided broad, sketchy requirements for companies to fol- 
low in documenting and assessing internai Controls. 

• Because the independence of auditors would be questioned if they 
became too involved in the company’ s Controls assessment process, 
many companies and auditors took different paths to comply with 
SOX. The resuit: more time in reconciling the two approaches later. 

• The PCAOB established a high standard for auditor performance when 
reporting on internai Controls and removed many cost-effective alter- 
natives from the auditor’ s procedures tool kit. These new auditing 
standards were not implemented and effective until July 2004, creating 
a training crunch for auditors. 

• More detailed rules for implementing these requirements were suc- 
cessively revealed during 2004, with various “questions and answers” 
being released by the SEC and PCAOB in the latter part of the year. 

• The uptick in the stock market in mid-2004 swept many smaller com- 
panies into the SEC’ s “accelerated filer” category. These companies 
and their auditors had only six months to complété their assessments 
of internai Controls. 

• Auditor training was in “real time” as information that affected auditor 
engagement performance and assessments became known or under- 
stood throughout the 2004 period. 

• No common software solution for documenting and assessing inter- 
nai Controls existed, leading auditors and companies to devise their 
own formats and approaches. Thus, both parties had to take time to 
reconcile their different solutions to the same issues of Controls docu- 
mentation and assessment. 

Ail these ingrédients created a good recipe for raising costs in a business 
environment. More telling is the second-year expérience of many companies: 
They experienced 20 to 40% overall cost réduction, even in the absence of 
any relaxation of the regulatory rules. 

Auditor Guidance 

In 2007, the PCAOB anticipâtes finalizing Auditing Standard No. 5, a replacement 
to Auditing Standard No. 2. The Auditing Standards Board anticipâtes finalizing 
the exposure draft to its internai Controls reporting guidance, AT 501, in 2007 as 
well. Both of these standards may significantly affect the procedures and reporting 
requirements associated with reporting to third parties on internai Controls. Auditors 
should be alertto these developments. 


INTRODUCTION 


IT CAN BE MANAGED 

Documenting and assessing internai Controls do not hâve to cost a fortune. 
The most significant step to take to control those costs is to be willing to put 
in some front-end time to leam about the process and become familiar with 
the terms and objectives of the exercise before plunging in with both feet. 
This book is part of that process and will assist you in the leaming process 
if it is taken to heart and not put on the trophy case bookshelf. 

Remember the old adages: “Look before you leap” and “How do you hâve 
the time to fix the problem when you did not hâve the time to do it the right 
way in the first place?” Believe them, they are true. 

In 2003, a major public company foresaw the inévitable requirement to 
document its Controls and plunged headlong into the exercise, using flow- 
charts, narratives, copying documents and manuals, and so on. The company 
built up a mountain of documentation of just about anything and everything. 
Crates of documents were stored in a warehouse-like room. When the auditors 
inquired how things were going, the company proudly announced that the 
documentation was “done.” 

Their auditors were horrified. The documentation was: 

• Not well organized or assembled 

• Inconsistent in quality from process to process 

• Limited to control activity processes (e.g., sales, inventory, purchases) 

• Voluminous — beyond what any reasonable documentation standard 
would require, with many details that were irrelevant to the task 

• Not in a format that could be easily updated for changes from year to 
year and included many written notes and documents 

• Not related at ail to the Committee of Sponsoring Organizations 
(COSO) Framework (1992) for documenting and assessing Controls 

• Difficult to relate to the auditors’ Controls assessment tool, which was 
based on COSO 

What followed was a costly and frustrating (for management) exercise of 
recasting the documentation into a usable form. 

Some success stories are also worth telling, but they are far less interesting. 
In general, the formula for cost-effective projects is just the reverse of the 
bad example: 

• Obtain an understanding of what needs to be done. 

• Plan for the work to be done over a reasonable period of time. 

• Put the resources in place to do the tasks in the time frames outlined. 


IT CAN BE MANAGED 


• Coordinate with your “independent auditor” as the project progresses 
so that you will both be on the same page at the completion of the 
task. 

The rest of this book will assist you in accomplishing the task of Controls 
documentation efficiently. If you do not first understand what needs to be 
done, your project too will become an unguided missile that is likely to miss 
the mark. 



2 

First Steps: A Pilot Project 


NAVIGATING CHAPTERS 2 TO 5 

The philosophy behind introducing the material in this chapter before going 
into more detail about the COSO (Committee of Sponsoring Organizations) 
Framework and its components is that many companies and auditors really 
like to get their hands dirty on a project and do not hâve the patience to go 
into too much detail before having some expérience. If you want to hâve a 
full grounding in ail aspects before proceeding (not a bad idea), read ahead in 
detail into Chapters 3 though 5, then corne back here. If you want to get some 
expérience under your belt, you might skim material in these chapters and 
then start back here in earnest with a pilot project. It is a matter of emphasis 
and how hard you are chomping at the bit to get going. In either case, the 
detailed material in the next chapters is more likely to be meaningful to you 
after you hâve undertaken a small pilot project. Consider Chapters 2 to 5 as a 
set that needs to be understood as a whole some time before the main project 
begins. 


THE FIRST STEPS CAN SEEM THE HARDEST 

Getting started on a major project is always difficult. Once you hâve taken 
the first steps, then it is often not so bad. Most swim instructors suggest 
you acclimate your body to the water first and not just plunge in and shock 
your System. Same advice here. However, let’s not confuse the acclimation 
process with procrastination. 

In 2004, many large public companies waited to take their first steps toward 
documenting and assessing their Controls. Some did not hâve the knowledge 
9 


10 


FIRST STEPS: A PILOT PROJECT 


about how to begin. But others hoped beyond hope that “the curse” of the 
Sarbanes-Oxley Act of 2002 (SOX) would be repealed or delayed. They 
buried their heads in the sand, hoping this curse would pass. Today we see 
the next wave of public companies exhibiting the same behaviors, and they 
will meet the same fate: The costs and the anxiety and the disruption to 
their businesses will rise as the delaying tactics push the project into a short 
time frame. There will be less time to perform the task and less time to 
remediate anything that requires adjustment. Note that in a current survey of 
accelerated filers, so far in the research every company has indicated that there 
were issues that required remediation. This in-process research has identified 
some companies where over 400 deficiencies in Controls were identified; 
this number of deficiencies was not confined to the largest companies in the 
survey group. 

Having purchased this book, you are moving in the right direction. 
Press on! 


YOU HAVE AN ADVANTAGE 

Companies documenting and assessing their Controls today hâve a number 
of advantages over the public company pioneers in 2004. Let’ s identify them 
up front: 

• There has been much written and learned about the Controls documen- 
tation and assessment process since 2004. Various books, articles, and 
practice aids can guide and assist you. 

• There is a Virtual army of consultants, advisors, and auditors who hâve 
developed skills that can be helpful to you in accomplishing the task. 

• You can select from more affordable software options and template 
options when documenting your Controls, and more are being offered 
every day. 

• Nonpublic companies do not hâve to document ail their significant 
processes and Systems, as many public companies had to do. The key 
processes and Systems are your immédiate focus. In many businesses, 
documentation of control activities may be limited to the revenue and 
disbursement processes, payroll and the process of closing the books, 
and preparing the financial statements. 

• Standards of the American Institute of Certified Public Accountants 
(AICPA) and the Public Company Accounting Oversight Board 
(PCAOB) standards are now more consistent in clarifying the rôle 
of risk assessment in setting the scope of the project. 


YOU HAVE AN ADVANTAGE 


• New PCAOB standards (Auditing Standard No. 5) hâve become clearer 
and less onerous, allowing companies and auditors to comply with 
the intention of COSO without extra baggage. This helps ail compa- 
nies and entities to right-size their projects without the appearance of 
undercutting a benchmark that many people look to. 

• Many nonpublic businesses are less complex. The lack of complexity 
will make it easier to document or implement Controls than in busi- 
nesses that are geographically separated with hundreds of product lines 
and supplier and customer relationships. 

• AICPA independence rules are less strict regarding assisting nonpub- 
lic clients in documenting and assessing their Controls. Nevertheless, 
auditors cannot be placed in a position where they are auditing their 
own work, so management needs to be involved in the Controls design, 
documentation, and assessment process. 

However, it is important to note that there are issues in the current envi- 
ronment that are not necessarily to your advantage. You should consider how 
these factors may be relevant to you. 

• Smaller entities hâve less financial and manpower resources to devote 
to Controls documentation and assessment. Few smaller entities hâve 
an internai audit fonction. 

• Unlike auditors reporting on the internai Controls of larger public 
clients, many of the auditors of nonpublic entities hâve not yet had 
expérience in working with COSO and company deficiencies. 

• Many of the consultants with considérable Controls expertise will be 
called to serve the needs of the 10,000 or more nonaccelerated filer 
public companies in meeting their first-time responsibility to report 
on their Controls beginning in 2007. There may be a distinct dearth of 
affordable and competent Consulting resources available to the 350,000 
nonpublic entities that are now looking to meet the new AICPA require- 
ments. 

• Some auditors and many entities are confused about what nonpublic 
companies need to do to meet their minimum control documentation 
responsibilities, since the new standards are “new.” 

• Much of the existing software, guidance, and literature on Controls 
since 2003 has focused on compliance with Section 404 of SOX, which 
requires companies and auditors to formally report on the effective- 
ness of internai Controls. A far lesser standard still meets the minimum 
requirements of the new AICPA auditing standards for companies sim- 
ply seeking an audit, and when not explicitly reporting on internai 


12 


FIRST STEPS: A PILOT PROJECT 


Controls. Using SOX resources for a lesser objective may increase the 
complexity and cost of the task unnecessarily. 

You need to consider your own particular circumstances in weighing your 
strengths and weaknesses in the task ahead. An honest and fair self-assessment 
can be an excellent basis on which to proceed. 

THE FIRST STEP 

You hâve choices of how to go about identifying, documenting, and assessing 
Controls. My recommendations are based on my expériences with entities 
that may bear little similarity to yours. In general, I recommend a six-step 
approach in getting started. 

1. Understand your objective and your requirements to meet that objec- 
tive. 

2. Get the big picture by under standing: 

a. The Controls framework that you will use to guide you. 

b. The required scope and extent of your project. 

3. Form a preliminary project team. 

4. Undertake a pilot project. 

5. Develop a project plan and resource plan. 

6. Evaluate the results and execute the overall project. 

The topics you will need to complété the pilot project will be dealt with 
briefly in this chapter and expanded on in later chapters. You will gain much 
expérience in the process of going through a pilot project that will make a 
reading of those next materials after the pilot project much more meaningful. 


UNDERSTAND YOUR OBJECTIVE 

In Lewis CarrolTs Alice’ s Adventures in Wonderland, there is a wonderful 
exchange between Alice and the Cat: 

Alice: Would you tell me, please, which way I ought to go from here? 

The Cat: That dépends a good deal on where you want to get to. 

Alice: I don’t much care where. 

The Cat: Then it doesn’t much matter which way you go. 

Alice: . . . so long as I get somewhere. 

The Cat: Oh, you’re sure to do that, if only you walk long enough. 

So it is important to understand your objectives first. Ask yourself: “Why 
am I doing this?” The nature, timing, and extent of procedures to be per- 
formed to achieve these options in different scénarios vary. Entities need 


UNDERSTAND YOUR OBJECTIVE 


13 


to understand that hitting the target should be the resuit of planning and 
not luck. 

Following are some common scénarios that you may be able to identify 
with. Keep in mind the relevant scénario as you read this book. Different 
guidance may apply to different scénarios. 

Scénario 1: Controls Design and Implémentation 

In this scénario you only seek to document and assess the design of Controls 
over financial reporting as a basis for understanding your entity’s processes. 
You want to identify weaknesses (gaps) in the design of your Controls that 
might open the door to fraud or mistakes. The reasons to perform such a 
task are to assist with continuity and consistency if personnel change and to 
detect unintended changes in procedures (a natural event over time) that can 
open new opportunities for fraud and misstatement. The second step here is 
to see that the described control is really in place. For example: Is the door 
to the safe in a jewelry store supposed to be closed during the day when the 
safe is not being actively accessed by an authorized person? Is this what you 
see when you are in the area of the safe? Lots of things are intended and 
written, but only by inquiring and observing that what is intended is actually 
happening can you be assured that the description of the control is reliable. 

Your objective in this scénario is not to extensively test the effectiveness of 
the Controls over time or to report to a third party on the effectiveness of your 
Controls, but just to get a sense for obvious gaps and identify unrecognized 
risks. 

This scénario is relevant to most readers of this book — those entities not 
required to report on Controls under SOX. 

Auditor Considérations 

Lower audit costs often resuit if entities document their Controls adequately and 
provide that documentation to you (the auditor) before the audit begins. As part of the 
risk assessment process in an audit of the financial statements, the auditor needs to 
obtain an understanding of the entity's processes and Controls. If entities hâve already 
provided the contrais road map, the auditor can limit his or her work to reviewing 
and not creating the documentation from scratch. Entities often are more efficient 
at performing this task than auditors because (presumably) they know their business 
better than auditors. 

Do entities or their auditors actually hâve to test company contrais (beyond confirming 
the contrais are in place)? Generally, no. In smal 1er entities, itis often more efficientfor 


14 


FIRST STEPS: A PILOT PROJECT 


auditors to test the transactions and balances directly rather than to test the Controls 
and then supplément those tests with fewer tests of transactions and balances. 
However, an auditor who wishes to rely on Controls over a cost-accounting System 
for inventory will hâve to build on his or her understanding of Controls and risks by 
testing the relevant Controls over the period of intended reliance. 


Scénario 2: Reporting on Controls 

Entities in this scénario want (or may be required) to report to someone 
on the effectiveness of their internai Controls. Ail of the considérations in 
Scénario 1 still apply, but now the entity and the auditor need more evidence 
that the Controls operate effectively. Often this may require more testing of 
Controls (by management and the auditors) as a basis for the assertion that 
the Controls are effective. 

Two possible reporting scénarios are important to consider here, as they 
relate to the type of Controls reporting that is desired. The levels of required 
effort to achieve these options differ, so it is again important to think through 
up front what you need. 

1. Reporting only on Controls design and implémentation. This type of 
report is restricted to nonpublic entities reporting under the Attestation 
Standards of the AICPA (in a section numbered AT 501). Auditors 
may not need to perform tests on the Controls to report on Controls 
design, but obvious signais, such as botched accounting procedures 
or clear bookkeeping mistakes, may require comment when opining 
on Controls. A distinction between the effort required in this reporting 
situation and that required in Scénario 1 is that many more of the 
business processes will be covered by the assessment. In most cases, 
ail material financial reporting processes fall within the scope of the 
assessment. 

2. Reporting on Controls design, implémentation, and effectiveness. This 
report requires that the auditor and the entity assess design and implé- 
mentation, but also test the entity’ s Controls as a basis for opining on 
their effectiveness. Public companies, under Section 404 requirements, 
will report this way on their Controls. Nonpublic companies can also 
report on their Controls using either PCAOB Auditing Standard No. 5 
or the AICPA’ s similar AT 501 standard. 1 For a similar purpose and 
report, the work effort under either standard is designed to be about 


1. As of spring 2007, AT 501 and AS No. 5 were on exposure. The exposure drafts were posted at 
the Web sites www.aicpa.org. and www.pcaobus.org. 


UNDERSTAND YOUR OBJECTIVE 


15 


the same. Because the PCAOB assumes an integrated financial and 
Controls audit, most entities that are not required to follow the pub- 
lic company standard hâve selected the AICPA standard, which also 
includes more examples and options than the PCAOB standard. Two 
of those options follow: 

a. Reporting on Controls “as of” the balance sheet date. The public 
company standard requires that the report be on the effectiveness 
of Controls “as of ’ the balance sheet date. The report is a snapshot 
of the Controls at a point in time. Thus, Controls can be ineffective 
for a large part of the year, but if corrected and deemed effective 
by the reporting time, the company and the auditor can conclude 
the Controls are effective “as of ’ the date of the report. For issuing 
this type of report, testing Controls near the specified reporting date 
is common. 

b. Reporting on Controls over a period of time. Public companies 
cannot report on Controls effectiveness over a period of time, but 
other entities can, under the AICPA’ s AT 501 Standard. This type 
of report speaks to whether the Controls were effective throughout 
a period and identifies issues that may hâve been discovered and 
resolved during that period. Because this report covers a period 
of time, it is more like a motion picture of the Controls than a 
snapshot. Some govemment agency regulators and user groups 
hâve indicated that this type of report is more in line with their 
understanding of their mission in monitoring Controls effective- 
ness, but the early familiarity (due to Section 404 of SOX) with 
the “as of ’ reporting date for public companies has been a source 
of confusion in setting régulations. 

Auditor Considérations 

In a simple financial statement audit of non-public entities, auditors can décidé on 
which areas (revenues, expenses, payroll), if any, they wish to rely on Controls, and 
may be able to test only those related Controls when they hâve assessed that the 
Controls design is effective. When opining on the operating effectiveness of Controls, 
both management and the auditor will need to hâve tests and other evidence over 
most of these processes to support their assessment. The broadening of the scope of 
the Controls over Scénario 1 to cover most processes, and the required testing, adds 
vast amounts of time and expense to issuing such reports. When performing such an 
assessment for complex entities with many different locations that are using different 
accounting Systems and software, the costs and complexity of the task expand at what 
seems a géométrie rate. 


16 


FIRST STEPS: A PILOT PROJECT 


Auditors and entities might think that a clean Controls opinion would 
warrant a high level of Controls reliance and provide some basis for reducing 
the extent of other procedures. Unfortunately, as was discovered with SOX 
reporting, the “as of ’ reporting requirement hid from view the hundreds of 
Controls per client (on average) that were found to be déficient and needed 
to be corrected. Those deficiencies, in place for most of the year, precluded 
auditor reliance on the Controls in these areas. For that reason, the hoped-for 
réductions in other costs could not be realized. 

The real benefit of the current Controls focus in public companies may 
corne in several years when most of the underlying control deficiencies will 
hâve been identified and corrected. A small study of actual company results 
in the first and second year indicates that not only do companies continue to 
find more (often different) control deficiencies in the second year of focusing 
on Controls, but in some cases they are finding more deficiencies and ones 
that are more serious in nature . 2 It was in the second and third year of imple- 
menting public company Controls reporting that it was found that hundreds of 
companies and auditors missed detecting the backdating and springloading of 
stock option grant dates . 3 to favor the rewards to the récipients and affecting 
the accounting for these options. This happened right under the nose of the 
SOX and with everyone energized to focus on Controls over financial report- 
ing. We hâve a long way to go to capture the spirit of a financial reporting 
Controls focus and SOX. 


THE CONTROLS FRAMEWORK AS A GUIDE 

You recall the earlier story of the entity that set off and documented every- 
thing that moved and filled a huge room with documentation. The efforts met 
the weight test, but little else. 

One more point before we plunge into the pilot project. You are not 
an island. You hâve employées, customers, vendors, and others who hâve 
an interest in your business and ability to meet your commitments as they 
become due. If you are an audited entity, some third party, such as a bank 
or regulator, probably has suggested or required an audit. As part of that 
audit, you and your auditor both hâve a need to (at the least) understand and 
assess Controls design and whether the Controls hâve been placed in operation 


2. “SOX 404: Where Are We Now?” J, Bedard, L. Graham, R. Hoitash, U. Hoitash Forthcoming in 
the CPA Journal, 2007. 

3. Backdating is setting the option grant date — the date of value measurement — to a past date and 
springloading is setting it to a date in the future. 


THE CONTROLS FRAMEWORK AS A GUIDE 


17 


(implemented). If the two of you are approaching the subject from wholly 
different perspectives, you will surely create your own Tower of Babel where 
confusion will reign (and audit time and costs will skyrocket). 

Following a common Controls framework approach helps both parties to 
look at the Controls issue from a similar perspective. While there can be 
vast différences between the details of how companies assess their Controls 
and their effectiveness, a framework helps organize the documentation and 
provides some common terminology. Public companies are required to follow 
a Controls framework in meeting their Controls requirements, but there is no 
such requirement for nonpublic entities unless a regulatory agency overseeing 
an agency or govemment entity requires it. 

However, if you are an audited entity, you need to consider that your 
auditors will be following a Controls framework approach in performing their 
assessment. If you use checklists and narratives, they will hâve to adapt your 
approach to their work, and that might become expensive. A more efficient 
strategy would be for you to use Controls documentation and assessments 
that are similar to those used by auditors. A variety of tools are available to 
assist in the process. This approach will reduce the amount of translating the 
auditors will hâve to do to make to your work to relate to theirs. 

Controls Framework 

What framework should you use? Well, the choices so far are limited, and the 
widely recognized standard is the COSO Framework. As mentioned, COSO 
stands for the Committee of Sponsoring Organizations, which was formed 
under the leadership of the Treadway Commission to develop a framework 
in which organizations could understand and improve their internai Controls. 
Frauds, financial statement misrepresentations, and errors in financial state- 
ments in the 1980s motivated public concems that led to the création of 
the Treadway Com mi ssion. In 1992, COSO released its multiple-volume 
report titled Internai Control-Integrated Framework. Interest in reporting 
on the effectiveness peaked shortly afterward, and investors failed to provide 
controls-reporting companies with a sufficient market premium to justify the 
cost in managements’ eyes. Therefore, voluntary reporting declined. When 
banks and financial institutions became responsible for reporting on Controls 
following the banking crises, the only framework available was COSO. Later, 
in 1992 when Congress mandated Controls reporting for public companies, 
it required the use of a Controls framework like COSO. Since the 1990s 
auditing standards hâve clearly been structured around the COSO Frame- 
work, and new standards effective in 2007 are even clearer that auditors 


18 


FIRST STEPS: A PILOT PROJECT 


should use this approach to assessing Controls. The UK-based framework 
(the Turnbull Report) and the Canadian framework from the Criteria of Con- 
trol Board entitled Guidance on Control, hâve been published, but they hâve 
failed to achieve wide acceptance or implémentation so far. In this book, we 
focus on the COSO-like framework. The International Standards of Auditing 
(e.g., ISA 315 and 330) do not mention COSO by name, but the concep- 
tual model developed for these standards is derived from and compatible 
with COSO. 

In 2006, in response to Securities and Exchange Commission (SEC) and 
public concems over the cost and applicability of the COSO Framework 
to smaller public entities, COSO released another report: Internai Controls 
over Financial Reporting — Guidance for Smaller Public Companies. This 
report focused on financial reporting whereas the 1992 report recognized and 
discussed three components of internai control: financial reporting, opera- 
tions, and compliance. The newer report also simplified the multiple con- 
trol objectives approach of the 1992 report, organizing the framework into 
principles and attributes. In 2007, COSO commissioned research into how 
its monitoring component can be applied in smaller entities. This latest 
report and the research are important to nonpublic entities, which also can 
benefit from the examples, simplified approaches, and sample tools are illus- 
trated in the report. Both the 1992 and 2006 COSO reports in hardcopy or 
electronic format are referenced on the Web sites of the sponsoring organiza- 
tions. To order these publications they link you to the AICPA ordering site, 
www.cpa2biz.com. 4 My recommendation would be to read the 2006 COSO 
report in conjunction with this book before embarking on your Controls doc- 
umentation project. 


The Five COSO Components 

Later we will delve more deeply into the details of the components, but I 
introduce them briefly here. COSO has developed this définition of internai 
control: 

Internai control is a process, affected by an entity’s board of directors [i.e., 
“govemance body” like an owner], management and other personnel, designed 
to provide reasonable assurance regarding the achievement of objectives in the 
folio wing categories: 


4. The COSO (www.coso.org) consists of the American Accounting Association, the American 
Institute of Certified Public Accountants, Financial Executives International, Institute of Internai 
Auditors, and the Institute of Management Accountants. Coopers and Lybrand and PriceWater- 
houseCoopers were engaged to Write the 1992 and 2006 reports, respectively. 


FORM A PRELIMINARY PROJECT TEAM 


19 


Effectiveness and efficiency of operations 

Reliability of fînancial reporting 

Compliance with applicable laws and régulations 

Our focus is internai control over financial reporting. 

For internai control to be effective, the COSO Framework requires ail five 
of these components to be effective: 

1. Control environment sets the overall Controls tone of an organization. 
It is the foundation for ail other components of internai control. 

2. Entity’s risk assessment is the entity’s identification and analysis of 
risks in the achievement of its objectives. Risks should be identified 
and managed. 

3. Information and communication relates to the Systems and reports that 
enable management and employées to carry out their responsibilities. 

4. Control activities are the processes, policies, and procedures that help 
ensure that management directives are carried out. They consist of 
the Controls over revenues, expenses, and the financial statement close 
process. 

5. Monitoring is a process that oversees internai control performance. 

These terms should become familiar and more distinct as you begin to 

study them. However, often the application of these components to a business 
enterprise involves interlinking relationships. For example, the génération of 
complété, accurate, and timely reports ( information and communication ) may 
be necessary for effective management monitoring and may hâve implications 
for the overall tone of the entity control environment. 

FORM A PRELIMINARY PROJECT TEAM 

The reason to form a preliminary project team is that unless you are working 
with a seasoned, competent consultant, the likelihood is that you will not be 
able to put together an optimal project team on the first try. Organizations 
tend to hâve managers and technical workers, but the best team leader for 
a Controls documentation and assessment project is a person who possesses 
both skills and sufficient clout to make sure the organization as a whole 
coopérâtes with the effort. The chief financial officer (CFO) or treasurer may 
be the best organizational fit for the project, but if this person does not hâve 
some hands-on expérience of working with this sort of project, he or she 
may not be able to oversee effectively and enforce the necessary quality on 
the project. 


20 


FIRST STEPS: A PILOT PROJECT 


One way for the project team to gain expérience without significant risk or 
wasting time and resources is to identify a small working group — a prelim- 
inary project team — and try to complété a piece of the documentation and 
assessment prior to tackling the more complex subject areas. In this way, 
the group will understand the attributes and skills that need to be added or 
supplemented in order to form a highly effective project team. 

My suggestion would be to include these individuals on this pilot project 
team: 

• The most senior accounting officer: the Controller, CFO or treasurer 

• The most senior information technology (IT) person: the chief infor- 
mation officer, the head of IT 

• The person in charge of the department or function selected to be the 
pilot project 

• A staff person who is likely to be asked to participate in the création 
of the documentation, such as an internai auditor or member of the 
accounting staff 

Too large a pilot group will lessen effectiveness. In smaller entities (e.g., 
simpler businesses with few employées), two or three people may be ail that 
are needed or available. 

Selecting an area for the pilot project need not be difficult. Pick a “con- 
tainable” project, not one involving multiple processes in multiple locations. 
If there are six different ways to sell your product (cash sales, crédit sales, 
Internet sales, electronic data interchange, etc.) and you use different Sys- 
tems for sales in each market or location, then do not choose the whole 
revenue cycle for the pilot. Control activities, which are only one component 
of internai control, may be a good project base, as these are the éléments 
most associated with “controls” and do not require as many subjective judg- 
ments. However, areas such as the control environment and risk assessment 
components are more difficult to assess since the criteria for assessment are 
less well defined and more judgmental. Payroll is usually a pretty well orga- 
nized and centralized function, but sometimes it is mostly controlled by the 
use of a service organization (e.g., a payroll préparation service), which is a 
complication when performing a pilot project. For example, the processes 
and Controls related to fonctions that these outside organizations perform are 
still relevant when assessing Controls, but these processes are often “cov- 
ered” by a spécial audit report called a Service Organization Report (a 
“SAS 70”) which may obviate the need to directly assess and test the out- 
sourced Controls. Thus, as a pilot project, such an outsourced function may 
only involve those Controls over information passing to and from the service 


FORM A PRELIMINARY PROJECT TEAM 


organization. Cash disbursements are also often pretty well organized and 
controlled, and can be an effective pilot project. Even in cases when differ- 
ent types of cash disbursements are handled differently, depending on the 
type of invoice (e.g., routine utility bills, contractor payments, purchases, 
etc.), you might carve out just one or two of these processes for the pilot. 

Use the pilot project to gain an under standing of COSO and how it needs to 
be adapted to your organization. Familiarize yourself with some of the terms 
so that the project team is communicating using common vocabulary. You 
should plan on working through and adapting the control objectives in the 
pilot area to your organization. You should also plan to assess the IT general 
Controls and software application Controls surrounding the pilot application. 
Note that the 1992 COSO report only illustrâtes control objectives for certain 
costs and inventory, and the 2006 report illustrâtes control objectives for 
revenues and some other areas. You may hâve to go through the thought 
process in some other areas to décidé what control objectives should be. Some 
sample control objectives are illustrated in the appendix to Chapter 4, and 
a methodology for developing original objectives is illustrated in Chapter 5. 
See Chapter 4 for how to set up a control objective-oriented matrix for 
documenting Controls for your pilot. 

When you hâve completed your pilot project, you will hâve findings and 
observations. If you hâve identified potential risks or deficiencies in the pro- 
cess, you may not be able to classify them immediately as to their severity. 
That is OK for the pilot project; you may need further guidance and expé- 
rience before you corne to any conclusions. You may want to discuss your 
findings within the project team for now. If you conclude that Controls need 
to be strengthened or remediated, then that action can begin. Chapter 7 will 
assist you in identifying deficiencies and assessing their severity. 

Let’s suppose you chose payroll as your pilot project. You might hâve 
identified that the payroll clerk has access to changing the standing data used 
to préparé the payroll (e.g., pay rates, as authorized by human resources 
or management). While no issues indicated that anything was misstated and 
there were no complaints, the fact is that the access to changing these records 
could create a problem that might be hard to detect. So the assessment is 
generally that such issues could be serious, and actions and procedures to 
reduce the risk should be taken. Sometimes such access is controlled by 
limiting the clerk to a “read-only” status for that data or by a spécifie review 
of ail or a sample of the rates used in the calculations. 

Once you finish the project familiarization process, hâve a group debriefing 
with management to review: 


FIRST STEPS: A PILOT PROJECT 


22 


• Things that went well 

• Leaming expériences 

• Considérations when expanding the process, such as documenting ail 
five components of internai control and their attributes 

• The rôle of IT and any issues identified 

• What training, orientation, and review will be necessary to ensure 
consistency in the performance of tasks across the entity 

• The composition of the future project team 

THE REAL PROJECT: SETTING PRIORITES 

In the bigger “real” project, you will be encouraged to hâve the IT and 
control environment components assessed early in the project. Deficiencies 
in these areas can overshadow the effectiveness of lesser Controls. Many 
companies that left the IT assessments until last had issues that could not 
be remediated before year-end, resulting in adverse opinions on Controls. 
When not reporting on internai Controls, companies that leave the foundation 
areas until last are just fooling themselves. If IT or control environment 
issues arise, they essentially trump the detail conclusions reached on the 
more mundane Controls and render those conclusions useless. For example, 
if you hâve assessed and tested Controls over routine cash disbursements and 
you find out later that management sometimes overrides those Controls and is 
prone to doing so, then your conclusions on the processing of disbursements 
are useless. For example, if a business owner ignores the Controls over the 
lending process and directs subordinates to make loans to entities that do 
not meet the lending objectives of the organization, the Controls over lending 
(e.g., crédit checks, appraisals, site visits, etc.) are ineffective, even if they 
work well, “most” of the time. 

Early identification and remediation of control design or operation defi- 
ciencies also provide a basis for allowing auditors to be more efficient in 
performing their work. It is commonly believed that testing and relying on 
effective company control procedures results is a more economical audit than 
if the auditor has to place ail or just about ail of his or her reliance on sub- 
stantive audit procedures. Substantive tests of accounts and balances (e.g., 
confirmations, vouching, analyses of accounts, etc.) are generally thought to 
be expensive to perform as a class of procedures. When planning the required 
audit procedures, auditors can rely on an entity’ s Controls only when those 
procedures are effective throughout the period of reliance. The auditor can- 
not rely on ineffective Controls that in place before a correction was made. 
A well-controlled business has two benefits: 


PROJECT AND RESOURCE PLAN 


23 


1. An environment that permits management to focus on business 
development and profïtability instead of fighting tires and fussing with 
issues caused by weak Controls and fraud risk 

2. A more economical audit 

PROJECT AND RESOURCE PLAN 

At this point, you can draw up a larger plan, identifying the areas to be 
included in the documentation and assessment and the resources probably 
needed to accomplish those objectives. Unless the scope of the project is 
clearly based on the objectives you considered in the early project stages, 
you will need to identify: 

• The processes, accounts, and transaction streams and related locations 
that will be included in the total project 

• Those processes, accounts, and transaction streams and locations that 
can be excluded from the project and still meet your objectives 

Those who had to report on internai Controls for the first time in 2004 had 
little or no expérience in performing the documentation and testing of Controls 
required by Section 404. Grand time plans and budgets were drawn up and 
approved, but in the end were often grossly understated because participants 
were unfamiliar with performing such an assessment. Some of the worst 
cases of budget understatement came from those companies that had to keep 
increasing the scope of their projects incrementally. They undershot the mark 
they were expected to achieve and were slow to expand their scope when 
they realized they had insufficient coverage to assess their overall Controls. 
Had they initially scoped more into their assessments and then excluded the 
truly low-value and low-risk areas, their projects would hâve been more like 
or better than their budgets. 


Project Scoping 

When the objective is to report on internai control, few processes, accounts, 
and transaction streams can be excluded outright from the assessment process. 
In general, any material (significant) account should be considered initially in 
the risk assessment and perhaps deemphasized later if the potential likelihood 
and magnitude of the risk is assessed as low. When something is excluded 
up front from considération, disastrous conclusions can resuit, since its risks 
were not even considered. Consider the example of foreign currency trading 
for hedging purposes that has never in the past led to large profits or losses. 
Not considering this area on the basis of past profits ignores the potential 


24 


FIRST STEPS: A PILOT PROJECT 


exposure the entity faces from any significant “positions” that might be taken 
or if a trader makes a very large transaction without prior authorization. Some 
years ago, Barings Bank was brought to its knees by the actions of a foreign 
currency trader operating out of an insignificant (in assets) remote location 
(Singapore). 

Reported values may also be misleading as a discriminating attribute. For 
example, a remote location with a small profit contribution may not look 
important, but its lack of Controls might be allowing local management to 
skim revenues and understate profits. Besides volume and location asset 
base, risk should be considered when considering whether an element can 
be excluded from the analysis. 

Companies simply seeking to document the Controls surrounding their 
major processes, accounts, and transaction streams often find that a few areas, 
such as revenues, expenses, and payroll, cover the bulk of the activity. 

With management and the project team, you will hâve to go through the 
thought process of scoping the overall project and assessing resource needs. 
If you are reporting on Controls and need to scope into your project many 
accounts and different locations, sometimes it is helpful to hâve a consul- 
tant with more expérience in managing such projects help in budgeting. 
If your objective is simply to document and assess the design and implé- 
mentation of Controls, you may not need assistance; simply confirming your 
conclusions about scope and the timetable with your auditor may be suffi- 
cient. In Chapter 6 we talk more about hiring support resources and how 
to manage that process. When the scope of the project is significant, you 
can use tools like MS (Microsoft) Project to manage project and resource 
issues. 

Note that more senior team resources may be needed in sensitive areas, 
such as the control environment and some aspects of risk assessment and 
monitoring, to conduct interviews and gather evidence. Their help must be 
factored into the plan. 


Can My Auditors Help? 

Under AICPA independence rules, if you are a nonpublic company and you 
are developing your documentation of key processes and Controls, your audi- 
tors or consultants affiliated with your auditors can assist in this process. 
In the end, entity management will hâve to take responsibility for directing 
and approving the work they do, and auditors are cautioned not to place 
themselves in a position where they would in essence be “auditing their own 
work.” More caution needs to be taken if reporting on internai Controls under 


PROJECT AND RESOURCE PLAN 


25 


the AICPA attestation standards (AT 501), as there will be more situations in 
which auditors could wind up auditing their own work. 

For public companies, SEC and PCAOB rules are stricter, and auditors 
may hâve a more limited rôle — limited to being a “scribe” to document 
Controls as directed by management or an independent project manager. 

Even when consultants are engaged, I strongly recommend that, in public 
and nonpublic entities alike, management and employées should be signifi- 
cantly involved in the Controls documentation and assessment process. Active 
participation by entity management and personnel in the performance of the 
process will resuit in lower costs and a better basis for assuming the mainte- 
nance of the documentation going forward. 

To that end, entities should, if not fully documenting the Controls on 
their own in the first year, in the next year plan to take control of updating 
their documentation. 

Incrémental Annual Improvement 

It may take several years to put ail the Controls documentation into the proper 
order that best meets company and auditor needs and is in an easy-to-maintain 
format. At the same time, it pays to try to do it right the first time. 

After the first year of Controls documentation and testing under SOX, 
second-year costs for accelerated filer companies declined 20% to 40%, and 
that was without any relief from the high level of management and audi- 
tor testing required under AS No. 2. A “kinder and gentler” AS No. 2 was 
recently proposed as PCAOB Standard (No. 5). Ail companies should take 
great comfort in that statistic and realize that a good first-year effort in doc- 
umenting Controls will return future year savings, regardless of the target 
objective. We can expect even greater efficiencies for companies not reporting 
on Controls and not having to test Controls for that purpose. When selecting 
software or an approach for documenting Controls, the ability to roll forward 
the Controls documentation for update in the next year should be considered. 



3 

The Five Components 
of The Controls Framework 


SOME BACKGROUND 

Originally developed in a different era to address corporate concems in 
the 1980s about misstatements and fraud in major corporations, the COSO 
Framework has emerged in recent years as the dominant Controls framework 
worldwide. This is not to say that the framework is not without its challengers 
or challenges, just that it is best known and most widely used today. When the 
legislators wrote the Sarbanes-Oxley Act of 2002 (SOX), accelerated filers 
needed to quickly adopt a controls-based framework for documenting their 
Controls. The législation did not require the use of the COSO Framework; 
it merely required that the entity and auditors use an acceptable framework 
that had certain characteristics, and other existing frameworks did not qualify 
immediately, and were even less well known. In the future, there may indeed 
be other popular frameworks, but today the COSO Framework is the most 
commonly understood and leads the pack. It seems likely that your audi- 
tor will find your documentation more understandable and easier to work 
with if you are mindful of the COSO Framework in your documentation 
development. 


Auditor Guidance 

The American Institute of Certified Public Accountants (AICPA) auditing standards are 
essentially based on the COSO Framework and hâve been since the 1990 effective 
date of Statement of Auditing Standards (SAS) No. 55, Considération of Internai 


27 


28 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


Control in a Financial Statement Audit. The recent changes in the international 
auditing standards (of the International Audit and Attest Standards Board) make the 
International Standards of Auditing (e.g., ISA 315 and ISA 330) consistent with the 
COSO Framework. 


THE FIVE COMPONENTS 

While people naturally relate to Controls such as bank réconciliations and 
dual signatures on large checks and approving new customers in advance 
of taking orders, the COSO Framework identifies these as only one of the 
essential éléments in an effective control System. The five components are: 

1. Control environment sets the overall Controls tone of an organization. 
It is the foundation for ail other components of internai control. 

2. Entity’s risk assessment is the entity’s identification and analysis of 
risks in the achievement of its objectives. Risks should be identified 
and managed. 

3. Control activities are the processes, policies and procedures that help 
ensure that management directives are carried out. They consist of 
the Controls over revenues, expenses and the financial statement close 
process. 

4 . Information and communication relates to the Systems and reports that 
enable management and employées to carry out their responsibilities. 

5. Monitoring is a process that oversees internai control performance. 

What is maddening to some is that these are not five discrète, indepen- 

dent éléments. Often Controls, processes, and business characteristics involve 
more than one component, and sometimes the subject matter is not uniquely 
assigned but affects many components. For example, information technology 
(IT) is important in many entities today. The networks, the communica- 
tions, the accounting applications software, and so on ail hâve key rôles in 
maintaining Controls. To illustrate further: Information Systems, generally net- 
works and other connections, are the vehicle to transmit e-mail and distribute 
reports for management use in a business ( information and communication, 
monitoring ). Accounting software is used to record transactions and sum- 
marize information for financial reporting ( control activities, information and 
communication ). Security and passwords are used to ensure that authorized 
persons hâve access to the data and functions needed to do their jobs and 
to reduce the overall ability of individuals to perpetrate fraud ( control activ- 
ities, control environment). Clearly IT is a key element in most of today’s 
businesses, but it touches multiple components in the control framework. 


CUBES, TRIANGLES, AND OTHER REPRESENTATIONS 


29 


The trick here is to make sure to consider properly the IT implications 
of the control activities that record and classify transactions and data when 
looking at the individual Controls. For example, when looking at the control 
that ensures that only items that hâve been accepted as bona fide orders are 
shipped, you must consider the rôle of any computer-generated and data files 
needs. Was the sales software that authorized the sale and shipment well 
controlled, and not under the direction of the person authorized to make the 
shipment? Was the file of authorized customers also protected from falsifica- 
tion? Was the transmission of the sales order and authorization to ship secure 
and not subject to intervention and alteration? 

Further, just think about the importance of data transmission in gen- 
eral ( information and communication) and to providing timely and accurate 
reports to management so that they can perform their oversight and moni- 
toring fonction reliably. Poor, inaccurate, or late communications can also 
diminish the overall quality of the control environment. 

Thus, in many cases, there are interrelationships between the components; 
they are not unique silos that stand alone. 

CUBES, TRIANGLES, AND OTHER REPRESENTATIONS 

The mapping of the five components into a diagram to enhance understand- 
ability has resulted in several forms. None is more expressive or better than 
the other; a lot dépends on what you were first exposed to and how you 
best remember the components. When first formally teaching fois subject to 
auditors, a wall-size chart of COSO components was developed to assist par- 
ticipants in visualizing the framework and its components. After users gained 
some expérience with the components, the chart no longer served a purpose. 
Nevertheless, some form of représentation can be helpful to anyone becom- 
ing acquainted with the subject. You may use any one that has meaning for 
you, or develop your own. 

A cornmon représentation of the five components is the COSO “cube,” as 
depicted in Exhibit 3.1. It is used in the professional auditing literature and 
was illustrated in the original 1992 COSO report. It shows the five compo- 
nents of control as layers in the cube. In addition to financial reporting, it 
also shows the dimensions of operations and regulatory compliance. For the 
purposes of documenting Controls over financial reporting, an entity is not 
specifically responsible for documenting its Controls over operations (e.g., 
documenting how efficiently and effectively products or services are pro- 
duced or delivered), or the details of how compliance with ail the régulations 
to which an entity might be exposed is ensured. Unfortunately, potential 


30 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 



Exhibit 3.1 The Coso Cube 


Source : Adapted from COSO "Integrated Framework," 1992. Artwork is not by COSO. 

financial reporting and accounting implications can arise from operations, 
and you may hâve to ensure that financial reports capture that information. 
As an example, suppose as a resuit of a poor-quality production run, waste 
and customer retums hâve skyrocketed. This will resuit in additional period 
costs and accruals that need to be captured for likely customer returns and 
crédits. If a regulator imposes restrictions on your ability to issue securities 
or take on debt, your business may hâve going concem issues that should 
be assessed and disclosed. If you are subject to fines for violating pollution 
laws, those contingent liabilities may require disclosure. Thus, regulatory and 
operating issues that hâve financial conséquences will need to be considered. 
Again, the divisions are not as clear-cut as the drawings might imply. 

Along the third dimension of the cube, we are reminded that different entity 
divisions and different product fines may hâve their own control structure, 
even though they may share some éléments with other units. For example, 
many companies share the same control environment, as management and 
company policies are often common to ail the business units. However, when 
companies are comprised of independent companies, united mostly by stock 
ownership, the two may not share control environments or anything else for 
that matter. 

The order of the items in the cube has always been of interest. As the 
control environment is the foundation of control, most can understand why 
it is at the base of the cube. Yet since it overrides ail else, some might 
expect it to be at the top. Actually, in the professional auditing literature, 
the cube is inverted, with the control environment at the top. In Exhibit 3.1, 


CUBES, TRIANGLES, AND OTHER REPRESENTATIONS 


the detailed Controls (control activities) are sandwiched between the other 
components; users might therefore see how the other components are related 
to and influence the control environment. I could go on, but why? If the 
diagram helps, use it. 

Another diagram included in the 1992 COSO report depicts the five compo- 
nents in the form of a pyramid (see Exhibit 3.2). The “base” of the pyramid is 
the control environment, and the information and communication component 
runs along the edges across the components. 

An advantage of this représentation is that it clearly indicates the foun- 
dational rôle for the control environment and shows that information and 
communication eut across the categories and are not a separate layer. Mon- 
itoring, the capstone, is represented as overseeing what is below. The three 
dimensions of internai control are not part of this diagram, nor are the rep- 
résentations of the multidimensional nature of many companies. Again, if it 
helps you visualize and understand the components, use this diagram. 



Exhibit 3.2 The Coso Pyramid 

Source : A copy from page 13 of Framework section of COSO "Integrated Frame- 
work," 1992. 


32 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


Want more options? Make up your own. Psychologists say that when we 
personalize images, they become richer and more mémorable for us. So let’s 
drop ail the shapes and labels and see if we can shape an image that is Per- 
sonal. Instead of a building block position, imagine the control environment as 
an atmosphère. The control environment is comprised of the management and 
governance of the entity, its integrity and ethical values, its human resource 
policies and practices. It is the overall tone at the top. A healthy atmosphère 
promûtes well-being and long life. A poisonous environment afflicts ail other 
aspects of the business and can imperil the operations. Closely aligned with 
the environment is risk assessment, as this component looks for possible 
threats from outside and within the business, and develops Controls, policies, 
and procedures to protect the business and manage the risks. Almost like 
a weather plane or a weather balloon operating in that general atmosphère, 
management and those charged with governance (e.g., owners, boards, and 
elected officiais) are on the lookout for risks (e.g., compétitive threats, insur- 
able risks, new product fines, labor strife, etc.) that might develop at various 
levels so that they can be thwarted or avoided or defenses can be mounted. 
Information and communication cuts across and touches ail the components 
and functions like radio waves moving within and outside of the confines of 
the bricks and mortar of the business building structure. The control activ- 
ities are the tangible éléments of transaction processing that describe how 
transactions are initiated, processed, and recorded: like the physical repré- 
sentation of the bricks and mortar and equipment we often associate with 
transactions and business activity. Monitoring is the process by which man- 
agement ensures that things are performing as they were designed to do. 
You add the image. Does this rôle of monitoring evoke thoughts of maternai 
concem, a police or guard function, or the monitoring wires in a medical 
device, keeping watch on the entity’ s vital signs? You do not need for me to 
give you a drawing, you hâve one in your mind. And it will make the frame- 
work more real for you. And when you put ah these components in their 
place, do you see how difficult it can be for those risks and issues to escape 
détection? 


THE CONTROL ENVIRONMENT 

One of the most significant mistakes made by large public companies in 2004 
in the rush to comply with the accelerated filer requirements was the delay 
in addressing the control environment as a component of the framework. 
Why the delay? Because the control environment is hard and disquieting to 
evaluate, requires a lot of judgments, and because we do not hâve readily 


THE CONTROL ENVIRONMENT 


33 


available and objective tools to assess it. The control environment is an 
intangible and thus is subject to interprétation (and rationalization). 

Massive family business frauds like Parmalat and tone-at-the-top issues at 
Disney and AIG, Inc. in the midst of the SOX législation implémentation 
push show that ail sorts of entities are subject to risks from the tone set by 
top management. Now that we are in the post-SOX implémentation period, 
will there be no more tone-at-the-top issues in large organizations? Think 
again. The regulatory environment has driven some of the past bad behaviors 
of some corporate managements temporarily underground, but the éléments of 
problems are still présent and will be part of a long weeding-out process — if 
it ever will be successful. 

The most striking example of hubris in the face of additional corporate 
scrutiny and Controls testing under SOX is the 2006 révélation that hundreds 
or possibly thousands of corporate executives were allowed to springload 1 or 
backdate stock option grant dates, in violation of accounting and corporate 
procedures rules, to maximize their personal profits. Even more remarkable 
is the fact that major accounting firms did not consider the option granting 
process to be within their scope for testing under their reporting on inter- 
nai Controls, despite the fact that the issue involves following accounting 
rules and affects disclosures and compensation expense. Auditing practice 
has always been one of closing the barn door after the horse escaped. Audi- 
tors leam from their mistakes and oversights. Public Company Accounting 
Oversight Board (PCAOB) guidance now explicitly addresses this issue. 
Unfortunately, the line from the movie The Fortune Cookie is ail too true 
in so many ways: “Every time they build a better mousetrap, the mice get 
smarter.” This widespread practice was actually signaled by an academie 
study that analyzed the dates of corporate stock option grants and compared 
them to the cyclical stock price patterns of the corporations. 2 The corrélation 
of the stock prices and grant dates demonstrated that something manipulative 
was going on. When employées of these companies leam of such shenani- 
gans that heap millions of dollars on top of already bloated executive salaries, 
what impact do you think that has on their motivation and attitude? Sure, tell 
them budgets are tight and their 3% raise is a reflection of their value as key 
employées. The press surrounding AIG Insurance, the alleged fraud at Refco, 


1 . “Springloading” options is the practice of picking stock option grant dates that just précédé some 
expected “good news” corporate announcement, therefore making the options more valuable to 
the executive immediately after the announcement. 

2. While a number of academie studies hâve addressed this issue, see Eric Lie (May 2005), “On the 
Timing of CEO Stock Option Awards” Management Science SI (5), pages 802-812. 


34 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


and frauds and collapses at other hedge funds serves as a reminder that the 
passage of a law does not change morals ovemight. Some of these cases and 
some of the longer-term lessons they hold for us ail are discussed further in 
the chapter on fraud. 

As we get into some of the components of the control environment, you 
will see that, despite its key rôle, it is an elusive and difficult component to 
assess. 


An Ethical Environment 

What makes an environment ethical? You get a pretty fair sense of a busi- 
ness’ s ethical makeup if you spend enough time in it. Are the right things 
being done for the right reason? Look at the company’ s attitudes toward its 
customers, suppliers, and workers. Is there a sense of fair play in ail that is 
happening? This is not a set of checklist items “yes, I hâve this; yes, I hâve 
that . . but a sense of trust in the individuals who are part of that entity to 
do the right thing even in the absence of a written policy or rule. To ensure 
that management communicates its values and expectations throughout the 
organization, it may help to hâve a policy, code of conduct, or statement 
of ethical values and to periodically confirm that employées and manage- 
ment alike understand the policies. And you should be careful not to impart 
stéréotypés on the type of organization. There are good and bad tones présent 
in ail sorts of entities: Churches, charities, civic associations, hospitals, and 
governing boards may hâve or not hâve ethical policies. I hâve witnessed 
several times in my career the fact that a change at the top of a multinational 
entity can cause its ethical fiber to deteriorate at lightning speed. What was 
true last year may not be true now. Unfortunately, the road to recovery after 
such a slip is a long one; and some organizations never make it back at ail. 

An organization that cannot discipline itself or its employées for ethical or 
policy breaches is simply asking for trouble. Those charged with govemance 
could be business owners, a board, or an elected body, and they must be 
willing to step up and say no to themselves when a salesperson pushes the 
sales manager to accept a risky or high-cost sales contract or a supervisor 
uses intimidation to manage employées. Imagine a major city without any 
police function. Even if 95% of the city’ s population went on about their 
business and did not change their behavior, the other 5% would make the 
resulting situation pure chaos. If entity policies mean anything, they need to 
be enforced, on staff as well as management. Employées see and intemalize 
the stretched expense accounts, supervisor pressure on to make sales targets, 
and the intimidations of other employées and the tendency to “look to one 


THE CONTROL ENVIRONMENT 


35 


side” by other employées to avoid confronting management transgressions, 
and that expression of the culture starts to erode the underlying organizational 
fiber. A principal reason people steal from their employers is a feeling of 
resentment and a sense that they are entitled to their ill-gotten gains and that 
nobody cares. The PCAOB got it right when it elevated senior management 
fraud “of any magnitude” to the top level of control deficiency severity. 
Cheating on expense reimbursements, or modifying the stock option grant 
dates to the greatest personal advantage by the CEO says a lot about the 
character of that individual, and the entity that tolérâtes or downplays the 
significance of the issue, based solely on the person or the amounts involved, 
shows it is lacking an ethical environment. 

We are focusing on Controls over financial reporting, so we need to say a 
few words about competency in business and accounting matters. Many enti- 
ties were founded by nonbusinesspeople: entrepreneurs. For example, there is 
a stéréotypé of the “typical” scientist who has invented the better mousetrap 
or odor-masking spray, and when the company is small and only two or three 
people are involved, he or she may feel perfectly connected to ail aspects 
of the business and its finances. As that business grows, the entrepreneur 
may be drawn back into the sanctity of the lab and become more distant 
and reliant on others for day-to-day operations. Such a scénario is a com- 
mon risk, as the “owner” no longer really takes “ownership” of the entity. 
As another example, ministers, priests, and other clerics may feel that the 
only monitoring that is meaningful is that done by a suprême being, but in 
reality churches, charities, and communities hâve a strong business aspect, 
and accounting is not one of the majors in divinity school. Some take a deep 
interest in ail aspects of the operations, and some like to focus on “higher 
objectives” and tum the worldly activities over to (often marginally paid) staff 
and volunteers. Medical practices can also be prone to the same risks. These 
scénarios can be potentially disastrous, as the titular head of the organization 
becomes disassociated from the business, and oversight falls away. Witness 
the case of the secretary in the medical office who embezzled $2.6 million 
and spent most on lotteries and gambling, hoping to really strike it rich. 3 How 
does a doctor’s office not miss $2.6 million? Often such circumstances repre- 
sent “opportunities” to disrupt the organizational structure of a larger entity, 
deteriorating it into a patchwork quilt of vague and evolving responsibilities. 
Once that happens, who can monitor such an amorphous mass? 


3. L.I. Bookkeeper Admits Stealing $2.3 M to Play Lottery. As reported 
8/24/06. 


i'.nysscpa.org, posted 


36 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


Many organizations today, not just public companies, form boards or audit 
committees to oversee the entity as a control over the possible myopia of 
management. The effectiveness of boards varies widely, and even more so 
outside the public company arena. Some not-for-profit entities are notorious 
for selecting board members based not on business acumen but on their like- 
lihood to make or sway contributions to the organization. Some boards hâve 
been accused of being puppets of management and ineffective as checks and 
balances. This is not surprising, as, in the past, business owners appointed 
loyal friends and supporters as board members, or discharged board members 
who questioned or opposed the owner’s plans. There is a body of academie 
accounting research going back 20 years on the effectiveness and charac- 
teristics of members of the board. The need for independent directors who 
are not part of management is today recognized in the rules of the Secu- 
rity and Exchange Commission (SEC) and exchanges that list stocks and in 
some State laws. Change has been slow in coming, but there is a clear trend 
toward including independent directors and directors with financial account- 
ing expertise on boards and audit committees. As a resuit, many not-for-profit 
entities hâve called for their boards to be modeled after and compliant with 
the SEC, listing exchange requirements, and recommendations of the Blue 
Ribbon Committee on audit committees. 4 Entity govemance structure is also 
an element of the control environment. 

As you hâve seen from the prior discussion, the ethical environment is 
part of the control environment and is also related to the organizational 
structure — not the physical chart with the Unes and names, but “how it 
Works” — and it can either strengthen the organization or allow it to become 
crippled. 


The Blue Ribbon Committee: Independence Issues 

RECOMMENDATION 1 

The committee recommended that both the New York Stock Exchange (NYSE) and 
the National Association of Securities Dealers (NASD) adopt the following définition 
of independence for purposes of service on the audit committee for listed companies 
with a market capitalization above $200 million: 


4. In 1998, the New York Stock Exchange and the National Association of Securities Deal- 
ers created the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit 
Committees, which moved quickly to issue recommendations geared to enhancing audit com- 
mittee independence and director qualifications. A summary of the panel’s recommendations is 
included in Appendix 3A to this chapter. The full report can be obtained from the website: 
www.nasdaq.com/about/Blue_Ribbon_Panel.pdf. 


THE CONTROL ENVIRONMENT 


37 


Members of the audit committee shall be considered independent if they 
hâve no relationship to the corporation that may interfère with the exercise 
of their independence from management and the corporation. Examples of 
relationships that impair independence include: 

■ A director being employed by the corporation or any of its affiliâtes for 
the current year or any of the past five years; 

■ A director accepting any compensation from the corporation or any of 
its affiliâtes other than compensation for board service or benefits under 
a tax-qualified retirement plan; 

■ A director being a member of the immédiate family of an individual who 
is, or has been in any of the past five years, employed by the corporation 
or any of its affiliâtes as an executive officer; 

■ A director being a partner in, or a controlling shareholder or an executive 
officer of, any for-profit business organization to which the corporation 
made, or from which the corporation received, payments that are or 
hâve been significant* to the corporation or business organization in any 
of the past five years; 

■ A director being employed as an executive of another company where 
any of the corporation's executives serves on that company's compensa- 
tion committee. 

■ A director who has one or more of these relationships may be appointed 
to the audit committee if the board, under exceptional and limited 
circumstances, détermines that membership on the committee by the 
individual is required by the best interests of the corporation and its 
shareholders, and the board discloses, in the next annual proxy statement 
subséquent to such détermination, the nature of the relationship and the 
reasons for that détermination. 

RECOMMENDATION 2 

The committee further recommended that the NYSE and the NASD require that listed 
companies with a market capital ization above $200 million hâve an audit committee 
comprised of only independent directors: 

The committee recommends that the NYSE and the NASD maintain their 
respective current audit committee independence requirements as well as 
their respective définitions of independence for listed companies with a 
market capital ization of $200 million or below (or a more appropriate 
measure for identifying smaller-sized companies as determined jointly by 
the NYSE and the NASD). 

*The committee views the term "significant" in the spirit of section 1 ,34(a)(4) of the American 
Law Institute's Principles of Corporate Governance and the accompanying commentary to that 
section. 


Accounting compétence is fundamental to an organization’ s ability to gen- 
erate worthwhile intérim financial data to monitor itself between audited 
periods and even generate “fairly presented” financial statements at year-end. 


38 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


While certified public accountants (CPAs) can be very good at finding 
accounting mistakes and correcting them, there cornes a point when there 
are so many mistakes and so many hard-to-identify omissions that the abil- 
ity of any mortal man or woman to find them ail is challenged. Accounting 
compétence is also part of the control environment, as it places a cap on 
the effectiveness of financial information and communication, the underly- 
ing mechanism for managing the business and ensuring the cash flows are 
sufficient to meet the cash needs. Under professional standards today, inde- 
pendent auditors are asked specifically to evaluate the entity’s accounting 
policies, the competency of the staff and the chief financial officer against 
the entity’s needs for accounting expertise. Those entities requiring more 
assistance than the staff can reliably supply can usually hire outside expertise 
on an as-needed basis to fill in any gaps. It is often far cheaper to hire such 
temporary assistance than it is to hire additional high-competence personnel 
or pay independent auditors to unscramble the mess at year-end. Of course, 
some auditors enjoy putting puzzles together and the créative transactions 
“thunk up” by the bookkeepers. It gives them great stories to tell each other 
in the off season (e.g., “I remember the sale of a single fixed asset that 
seemed to resuit in 20 or so entries trailing through the books and between 
accounts. . .”), so you may be spoiling their fun and lowering their fees. Such 
is life. 

The 1992 COSO Framework identified the competencies of an entity to 
account for its transactions and préparé its financial statements as a require- 
ment for assessing the control environment as “effective.” Those charged with 
governance may be receiving written communications pointing out these lim- 
itations beginning with 2006 calendar-year audits. There is more about this 
sticky point in Chapter 7. Making it even more sensitive is the framework’s 
perspective that the independent auditor cannot serve as part of an entity’s 
internai control. Although current AICPA independence rules permit auditors 
to provide accounting guidance and to draft financial statements and footnotes 
for auditees, other professional standards (SAS No. 1 12) require auditors to 
assess the entity’ s compétence to perform these tasks without the independent 
auditor’ s help. 

One final element of the control environment is the rôle of human resources 
(HR) in the organization in helping to set the overall tone for the entity. A 
huge source of resentment in entities relates to the hiring, rétention, pay, and 
promotions of its employées. Even in the best-run HR-conscious entities, 
there is a constant pressure on the business to reconfirm its ethical musings 
in actions that speak louder than words. Is compensation perceived to be 


THE CONTROL ENVIRONMENT 


39 


based on performance? Is performance evaluated and honest feedback given? 
Is there some career path or personal development plan in place that helps 
employées see their possible future direction or the entity’s commitment to 
their personal development? Do liberal or ad hoc personal leave policies 
place on those left behind under unreasonable demands to pick up the slack 
over long periods without assistance? Good HR management is not always 
saying yes. I recall an instance where a seriously overburdened individual 
who was nearly harassed when he tried to take a week’ s vacation (“This 
is not a good time to be away from the office for so long, would a couple 
of days suffice for now until this period is over?”) was confronted with 
knowledge of a relatively newer employée peer generously being granted a 
five-week period to vacation overseas — on the premise that this was common 
in the country where she previously worked. This did not go down very 
well, and the man began to look for a better work environment. It was not 
pay, but insensitivity and a sense of unfaimess that lost the organization a 
good and dedicated worker. Ultimately the organization had to hire several 
individuals to match the skill sets of the man who became discouraged and 
left. Ensuring that situations creating resentment and bad feelings do not get 
out of hand is a constant balancing act between labor laws, good HR practice, 
and organizational communications. Perceived insensitive actions, seen by 
ail, can set the tone more than any written policy. Abusive, harassing, or 
threatening behaviors from of the executive office spread like wildfire through 
some organizations, with each supervisory layer often unconsciously adopting 
a style that imitâtes the rôle model they are shown as being most appropriate 
in that business culture. The end resuit is a whole entity comprised of tough 
guys. And then they wonder why they cannot retain good employées. Thus, 
the rôle and fair management of HR and the establishment and enforcement 
of entity HR policies is an important element in the control environment and 
can hâve a huge impact on the costs of doing business. 

Before we leave this area, let’s recount some of the thèmes we discussed 
that make up the control environment : 

• Integrity and ethical values 

• Those charged with governance and their management style 

• Accounting and business competencies 

• Personnel policies and human resources 

Perhaps a pictorial représentation would make this set of attributes more 
meaningful to you. If so, draw the picture and use that to cernent these 
concepts into your understanding. 


40 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


RISK ASSESSMENT 

There are two important rôles for risk assessment in the framework, and 
sometimes they are confusing, so let’s make the distinctions right up front. 
One aspect of risk assessment relates to the financial reporting risks for the 
overall entity. This aspect assesses regulatory and compétitive environment 
issues and also identifies entity business processes, accounts, and activities 
that are more risky or are relatively low risk in nature. The other aspect is at 
the detailed control activities level, where a risk assessment of implications, 
and the likelihood and potential financial exposure of a control failure needs 
to be assessed. The latter risk assessment is more easily discussed as a com- 
ponent of control activities . Here we concentrate on the big-picture aspect of 
risk assessment. 

Business Process and Financial Reporting Risks 

An aspect of this Framework component is management’ s understanding of 
its business processes in order to identify the risky and sensitive factors that 
can affect financial reporting and financial viability. To disclose significant 
financial risks, as required under generally accepted accounting principles 
(GAAP), one must first identify them. In any entity, there are usually some 
activities that could expose it to risk. The nature of the entity does not make it 
immune from the risk. Some years ago, Orange County, California, suffered a 
major financial setback when an interest rate bet tumed out to be very wrong 
and resulted in huge losses that threatened financial ruin to the county. The 
adviser making these investments had a long track record of making money 
with financial instruments, and the county both relied on the income generated 
from these activities and was not alert to the downside risks in the positions in 
these instruments, if the unexpected were to occur. In the banking business, 
Barings Bank established a small office in Singapore to trade currencies, 
and that office generated profits until one day there was a massive loss as a 
resuit of trades and positions that worked against the bank. Ail of a sudden 
the entire bank was in financial trouble. Not-for-profits are not im mune. The 
American Red Cross suffered terribly in réputation and in future contributions 
when allégations of top management excess and fraud were exposed. Fraud 
and alleged mismanagement are popular political thèmes near élection time 
and indeed play a rôle in changing voter preferences. Such allégations can 
dry up voluntary contributions to charities and religious institutions almost 
instantaneously. 

Entities face different risks, but they are risks ail the same. Identifying 
business risks can lead to the need to take other actions to limit the financial 


RISK ASSESSMENT 


impact of potential events. Financial transactions can often be structured to 
limit the downside exposure of a bad bet. While the net gains on transactions 
may suffer somewhat by entities having to enter into other transactions to 
limit the downside exposure, the protection is often a prudent practice, more 
so when govemments and not-for-profits are operating with monies entrusted 
to them. For example, if foreign currency swings are a risk, entities often 
“hedge” large exposed receivables or payables that are to be settled in a 
foreign currency by executing a currency exchange contract that will offset 
any changes in the relative exchange rates. While a currency contract (for 
the sale or delivery of a foreign currency) may cost money to execute, the 
changes in its value theoretically will offset the changes in the value of the 
receivable or payable, and reduce the entity’s risk from currency fluctuation. 
While hedges are generally considered risk-reducing, trading currencies solely 
to make profits may be risk-increasing. You need to understand the business 
purpose of the transaction to understand on which side of the risk the activity 
belongs. 

Most insidious is the lure to try to measure risk in terms of financial mea- 
sures rather than in terms of exposures. The past profits of an activity or 
assets committed to a location are not always a fair indicator of potential 
exposure. Neither the Orange County nor the Barings Bank example would 
hâve tripped the risk measure based solely on past profits or the size of 
the operation. Understanding the downside exposure risk of such activities 
was necessary to comprehend the risks. Managers who equate small dollar 
amounts with small risks are taking real chances. The remote location that is 
excluded from oversight because it is not contributing much to the bottom line 
could be engaging in activities with large regulatory implications and incur- 
ring environmental liability risks far greater than the stream of reported profits 
or the asset base of that location. A small publicized fraud or misdirection 
of funds can devastate a not-for-profit’s stream of contributions. 

Be Sure to Include Information Technology Issues in Your Risk 
Assessments 

One risk area that causes the eyes of many managers to glaze over is the rôle 
and importance of information technology (IT) to the entity and how IT is 
integrated into business strategies and risk assessments. Most Intemet-based 
businesses hâve some appréciation for technology and its risks, but few enti- 
ties understand how really dépendent they hâve become on communications, 
networks, and software and on the security of electronically stored data, 
customer lists, and intellectual property. Risk assessment needs to consider 


42 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


IT risks. Auditors are reminded in recent standards about their responsibilities 
to understand internai Controls, including IT. Thus IT-based Controls are in 
scope for even the minimum procedures required in an audit, and auditors 
need to assess the design and implémentation of IT application and general 
Controls. Apart from that, entities also need to consider access and security 
issues and the risks that relate to IT in their overall risks assessments. For 
many entities, best practices are to consider IT as an integrated part of the 
business and consider it whenever assessing business risks. 

When today’s business guidance and auditing standards call for the use 
of risk assessment to identify key Controls and accounts for examination, 
there is a need to consider risks of overstatement and understatement as 
well as risks of exposure. A product line or location may appear to be poorly 
performing because someone has figured out a scheme to skim revenues from 
the organization. Restaurant license revenues may be less than they should 
be because poor Controls over the identification of licensed restauarants is 
keeping ail restaurants from being properly identified in the database. For 
example, a standing database of licensed facilities should be updated when 
new licenses are issued, but in some organizations the two files are not related. 
Unfortunately, businesses, govemments, and auditors do not hâve a sterling 
track record of identifying ail these businesses and financial reporting risks up 
front. The lack of a consistent, reliable method for making such assessments 
may be part of the problem. In my view, when entities scope out locations, 
accounts, and business processes up-front, before a careful analysis, they 
are just asking for trouble. To do the job right, I suggest first obtaining 
evidence that ail is well and that ail the exposures hâve been considered, 
before concluding the process is indeed a low risk. 

The Bigger Picture 

Sometimes risk assessment needs to look outward from the organization. No 
entity is an island. A thriving local paper box manufacturing business in 
a declining écono mi e région will eventually feel the effects of the décliné, 
unless the business begins to expand its customer base to régions not affected 
by the local downward trend. And expanding to new markets can significantly 
influence costs and require an infusion of capital, or additional loans. The exit 
of big Steel from Bethlehem, Pennsylvania, and the corporate headquarters 
of IBM from Binghamton, New York, can leave a large hole in the local 
economy that may require new business strategies; they may reflect increased 
bad debt reserves or even going-concem issues that are important financial 
statement disclosures. 


RISK ASSESSMENT 


43 


Owners, managers, and those charged with govemance need to be close 
enough to these issues to be able to anticipate and plan for them, and to gauge 
their impact on financial plans and current disclosures. The monitoring of key 
indicators of the business, the relevant economy, and the demand for products 
and services will provide the signais that need to be considered to fulfill the 
risk assessment component of the framework. 

What are the factors that your entity should be looking to when trying 
to identify risks and strategies that hâve influence over it? Are general éco- 
nomie or local économie factors involved? How about the trend in interest 
rates? Are there risks of environmental liabilities due to laws? And how does 
your entity monitor these factors that might give rise to additional risks and 
resuit in financial reporting disclosures or accounting récognition of certain 
costs? 


Sélection of Appropriate Accounting Principles 

Another aspect of risk assessment relates to the accounting principles 
employed in the entity. Are the selected principles appropriate to those busi- 
ness risks faced by the entity? If regulatory or statutory accounting principles 
are imposed on the entity, as may be the case with certain government and 
highly regulated businesses, those principles need to be followed, but there 
is always an opportunity for adding optional disclosures to better présent a 
matter that statutory accounting otherwise imposes on the entity. Even reg- 
ulated entities may hâve choices regarding how the accounting principles 
are applied, and considération is generally given to the practices of others 
in the industry and any unique characteristics of the business when select- 
ing among any options. In recent years, the concept of industry practices 
has taken a backseat to the GAAP requirements. Actions of the SEC in early 
2005 to correct certain industry practices of public companies regarding lease 
accounting made it clear that GAAP should be followed and that industry 
practices, however widespread, do not trump that basic guidance. Entities 
need to consider the users of financial statements and their needs and not just 
accounting régulations when preparing financial statements. 

What is GAAP? Different entities may follow different GAAP guidance. In 
general, most private businesses follow the relevant guidance of the Financial 
Accounting Standards Board (www.fasb.org), and State and local govem- 
ments follow the Guidance of the Govemmental Accounting Standards Board 
(GASB; www.gasb.org). Fédéral government entities follow the guidance of 
the Fédéral Accounting Standards Advisory Board (FASAB; at www.fasb 
.org). A few FASB accounting standards are specifically directed to issues 


44 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


relating to not-for-profit entities, such as SFAS No. 93, Récognition of 
Dépréciation by Not-for-Profit Entities, or regulated entities, such as SFAS 
No. 90, Regulated Enterprises — Accounting for Abandonments and Disal- 
lowances of Plant Costs . Entity accounting officers and personnel should 
hâve a working knowledge of the relevant standards, reporting formats, and 
disclosures required by these standards. As mentioned in connection with the 
control environment, lack of entity compétence regarding preparing the finan- 
cial statements including the accompanying notes is a deficiency that may 
preclude a conclusion that the entity has an effective control environment. The 
independent auditor, under the COSO Framework, is not considered a part 
of an entity’ s internai control and is not a substitute for internai compétence 
in accounting. 

In most cases, GAAP for smaller businesses is the same as GAAP for 
larger businesses. This fact has not been popular among smaller entities, 
as the rules hâve become both complicated and numerous in recent years, 
requiring an ever-increasing level of skill and knowledge. Currently, a task 
force is examining the potential implications of creating simpler principles 
for smaller entities, but there is not likely to be any significant finding in 
the near term that will lift the accounting burdens for smaller businesses. 
Sometimes, in an effort to moderate the accounting burdens, the FASB has 
set longer implémentation periods for new standards or guidance for smaller 
entities. 

The real blessing for smaller entities is that they are generally simpler 
in structure than larger businesses. Many of the accounting rules that are 
designed for complex situations simply do not apply because the business 
transactions of smaller entities are not complicated. Thus the threshold of 
compétence for the accounting fonction of a smaller business is less than 
that demanded for some companies regulated under the SEC and the various 
stock markets. The bar is a fonction of the entity’ s needs, not a universally 
consistent measure. 

Inclusion of Fraud Risks within Risk Assessment 

Not to beat the drum at every tum, but entities should gauge their exposure 
to risks of fraud. Under auditing standards in effect since 2002 (SAS No. 99, 
Considération of Fraud in a Financial Statement Audit), independent auditors 
need to consider even more carefully these risks as an element in every audit. 
This auditing standard elevates the number of fraud-directed procedures that 
should be performed on every audit, decreasing the rôle of risk assessment in 
selecting the procedures to perform. Clearly, the past ineffectiveness of the 


RISK ASSESSMENT 


45 


risk assessment process by itself to head off issues that hâve led to major 
business collapses has motivated standards setters to increase the require- 
ments in this area. To the extent that the entity has identified, assessed, and 
addressed these issues in advance, that can go a long way to reducing the 
effort required of auditors, who are less familiar with the business, to ensure 
that these risks are being monitored and addressed. 

Of particular focus should be any business policies, practices, or struc- 
tures that “invite” fraudulent behavior. For example, are sales commissions 
structured in such a way that sales représentatives hâve strong incentives to 
misreport the period in which sales should be recognized? Are sales repré- 
sentatives given control of setting certain sales terms and incentives that may 
not be favorable to, or in accordance with policies of the business? Are duties 
of the accounting personnel such that one employée can initiate a transac- 
tion and approve a payment? Is there a risk that cash can be systematically 
skimmed from a cash collection process? Is there an impending merger, debt 
refinancing, or other event that could motivate a misstatement of financial 
position to receive a benefit? 

While ail of these issues can be mitigated by Controls and monitoring 
oversight, knowing the pressure points that exist in a business helps the 
entity design effective Controls and monitoring procedures to mitigate the 
risks. 

An exhibit accompanying the auditing standard on fraud (SAS No. 99, 
Management Antifraud Programs and Controls: Guidance to Help Prevent, 
Deter, and Detect Fraud) depicted the rôle of antifraud programs and Controls 
in reducing the risk of fraud in an entity. The exhibit was jointly developed 
with and supported by a number of organizations while not a formai part of the 
standard, it provided a vehicle for communicating some of the best practices 
of business in preventing and detecting fraud. This exhibit is reproduced with 
permission of the AICPA as the appendix to Chapter 8. 

Some of the éléments of such programs and Controls include: 

• A written fraud prévention policy (e.g., part of the code of conduct) 

• A culture of honesty, openness, and assistance 

• Communication of ethical business practices and behavior 

• A positive workplace environment 

• An effective System to monitor internai Controls. 

• A mechanism for employées to report possible fraud anonymously 
(e.g., a fraud hot line) 

• A process to monitor and take action to avoid temptations or mitigate 
risks. 


46 THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 

• Mechanisms to investigate ethical, accounting, analytical, or operating 
performance anomalies. 

• Management that acknowledges responsibility for this element of risk 
assessment and risk management 

Of course, such programs need to be scaled to a reasonable cost-benefit 
balance for the organization. The community civic association and the large 
governmental unit would be expected to hâve different level of formality 
regarding such Controls, but in essence the objective is similar in both orga- 
nizations. The larger and more complex the organization, the more important 
these Controls become, as they can help breach the anonymity and detachment 
that sometimes breeds or permits fraud in large organizations. 

An important aspect of fraud risk management is a sensitive one: manage- 
ment override of Controls. In 2005 the AICPA published a monograph entitled 
Management Override of Internai Controls : The Achïlles’ Heel of Fraud Pré- 
vention. As noted in the monograph, many of the significant frauds that hâve 
corne to light over many years hâve demonstrated the key rôle that senior 
management played in the fraud. Senior management has the capacity to 
exert strong influence over employées to accomplish the goals they hâve 
in mind — including less than lofty goals. Nevertheless, management teams, 
boards, committees, and other structures can be put in place to mitigate the 
risks. 

More will be said about fraud risks in Chapter 8. 


CONTROL ACTIVITES 

This is probably the topic you thought this book was about — the Controls over 
initiating, authorizing, and processing accounting transactions and financial 
reporting. Dual signatures, approvals of new customers, bank réconciliations: 
You know, the real Controls. However, from the perspective in the frame- 
work, these Controls can ail be rendered ineffective by weaknesses in other 
components. In a culture that tums a blind eye to unethical practices or where 
management overrides or thwarts the purpose of Controls, in an IT environ- 
ment where anyone can gain access to the books and records and sensitive 
information, in an environment where monitoring is hindered by poor com- 
munication or a lack of timely business data, these transaction-level Controls 
can be rendered ineffective, even though they might appear to be effective 
most of the time. That is why, when companies report on the effectiveness 
of their Controls, they must not hâve material weaknesses in any component of 
the framework; if they do, an “effective” Controls conclusion cannot be drawn. 


CONTROL ACTIVITES 


47 


Identifying Business Processes 

A first step in the process of identifying and documenting Controls is to 
hâve an understanding of the important business processes relevant to your 
entity. Sometimes you can identify dues to these processes from the accounts 
in the balance sheet and income statement: for example, revenues, cost of 
sales, and inventory. Often these processes are grouped in related ways. For 
example, one could identify a cycle of purchasing through the cash disburse- 
ment activity, another cycle might involve revenue (sales) through to cash 
receipts. Grouping these transactions into cycles helps simplify the under- 
standing of how transactions are initiated, processed, and recorded, and of 
various account relationships and how they ultimately are presented on the 
financial statements. 

If the purpose of your Controls documentation is limited to documenting 
the key processes (such as to meet minimum auditing standards for entities 
that are not public), perhaps only several (the key) cycles (sales, cost of sales, 
payroll, etc.) will need to be documented. If you are reporting on the effec- 
tiveness of your internai Controls, you will pick up more cycles, generally 
including ail the accounts in your balance sheet and income statement. A sim- 
ilar concept applies if you are a multiproduct producer or seller. The sources 
of the bulk of your revenue and expense streams from these products will be 
in the scope of your minimum required documentation, but if you are report- 
ing on internai Controls, you might expect to consider in your project any 
streams that might, individually or in the aggregate, be material in amounts. 

In entities with multiple locations, you will include in your analysis the 
locations contributing to the bulk of the revenues, assets, or income; if you 
are attesting to Controls effectiveness, include more cycles at more locations. 

As an example, can you get a sense of the likely cycles you would include 
in your project based on the financial statement and budget sample reports 
presented in Exhibit 3.3 and Exhibit 3.4? 

A few points related to the presented financial items. Start with the rev- 
enues and expenses. A few of the captions may need to be broken into 
separate categories. For example, Covenant House might hâve different types 
of expenses underlying the heading Program Services, if different types of 
expenses follow different payment and recording procedures. For Controls 
assessment, they may need to be broken out or depicted as different branches 
in a flowchart of process flows. Similarly for Middlesex County, the Gen- 
eral Government might require separate considération of the different types 
of appropriations if it follows different processes for initiating, recording, 
and processing the transactions. Some entities follow a common process for 



48 


(612,115) - - ( 612 , 115 ) 1,282,833 



50 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 



Exhibit 3.4 Sample Budget 

Source : www.co.middlesex.nj.us/comptroller/operating.asp 


ail transactions of a similar type, and in this case you may be able to treat 
those transactions as a single process. In the county example, departmental 
différences may be so great that it is more efficient to break the entity into 
departments for Controls assessments than to try to describe the Controls from 
the perspective of a single entity. 

One outgrowth of Sarbanes-Oxley in the public company environment has 
been the reengineering of processes and Controls to consolidate them into 
fewer distinct or unique processes and procedures. For example, a company 
may standardize the approval procedures for cash disbursements across ail 
subdivisions and standardize Controls over payroll. In some areas, the unique- 
ness of the transactions require separate considérations, but for common 
expenses, having common Controls and procedures are just good business. 
Having these common Controls and procedures assists in management of 
the business and reduces the complexity and costs associated with assessing 
internai Controls. 


CONTROL ACTIVITES 


In addition to the transaction-oriented cycles, you will probably need to 
consider the periodic close process as a separate business process. The peri- 
odic close contains these procedures: 

• Summary of the transactions during the period 

• Recording dépréciation 

• Adjusting the asset and expense accounts to reflect the correct period- 
end amounts 

• Préparation of estimâtes and allowances, such as for bad debts and 
warranty reserves 

• Consolidation and élimination of intracompany balances 

• Obtaining estimâtes of fair values, as required by GAAP 

• Currency translation 

• Tax accrual 

• Préparation of the financial statements 

• Préparation of the accompanying disclosures 

Not ail of these procedures are performed for ail entities. In many simple 
businesses, the process is a snap. In more complicated entities, the process is 
very important and complex, and worthy of implementing targeted procedures 
and Controls to ensure that everything goes smoothly. In any case, the act 
of assembling the financial statements and disclosures usually makes this a 
process that you will need to document in your project, even when only 
seeking to meet the minimum documentation standards. 

Narratives 

There are several ways in which Controls can be documented as a basis 
for Controls assessment. One way is to write narrative descriptions of the 
processes and control procedures. For example, here is a partial narrative 
relating to cash disbursements in a smaller entity: 

Nancy opens the daily mail and séparâtes the checks from the bills and corre- 
spondence. She complétés a cash deposit slip for the checks received and marks 
them “for deposit only” and gives the deposit and checks to John. The bills are 
also passed to John for recording and correspondence is routed to the appropriate 
person. Correspondence that is marked “personal or confidential” is not opened 
before it is given to the récipient. . . 

...John préparés the checks for Chuck’s signature by attaching the latest 
support document or invoice to the check. John compares the support to the 
amount and payee on the check and initiais the invoice in a space where he 
stamps the original as “Paid” and signs the check. Checks over $1,000 also 
require a second signature — Sally, his business partner. 


52 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


And on and on it goes. The strength of a narrative is that it describes the 
flow very well. Its weakness is often revealed when it needs to be used to 
assessment the design of the Controls. For example, do we know who these 
people are and what other duties they may hâve? Does John also make the 
deposits, and is there any control that what John received is actually deposited 
and posted to the accounts the way that Nancy passed it on? How do we 
know? Is cash ever received? Narrative documentation often also focuses on 
describing the processes that are followed but deemphasizes true Controls. Is 
it important for financial reporting purposes that we know what happens to 
correspondence? Probably not. Is opening the mail a control? 

Processes and Controls 

Managers and auditors often initially hâve difficulty in distinguishing these 
two concepts, but they are critically different. Dictionary définitions are not 
necessarily really ail that helpful here, but illustrations can be helpful. 

Is a bank réconciliation a process or a control? Let’s ask some simple 
questions: 

• Do you need to do a bank réconciliation in order to account for your 
transactions? No? Then it is probably a control. 

• Do you hâve to make deposits and process bills in order to account for 
your transactions? If the answer is yes, then it is probably a process. 

• Do you need to hâve management approve payments by checking the 
invoice to the amount paid before checks are signed in order to execute 
transactions? No? Then that is probably a control. 

Now the issue is to document Controls is such a way as to focus on their 
control aspects, not just the process. 

Control Objectives 

The 1992 COSO Framework introduced the concept of using control objec- 
tives to focus attention on the operation of the Controls and not just the 
processes themselves. Control objectives prompt the respondent to answer 
“how” the entity processes and procedures achieve the framework-defined 
control objectives. For example, this is a sample control objective related to 
cash disbursements: 

How do you ensure that disbursements are approved and accurately made out to 
the correct payee or vendor? 

Starting with the proper control objectives is important. They should be 
complété, tailored to your business, and not redundant. The COSO documents 


CONTROL ACTIVITES 


53 


hâve sample objectives (also called “attributes” in the 2006 guidance) that 
may help you get started at thinking through the appropriate control objectives 
for your entity. More detail on this issue is provided in Chapter 4. 

When performing your pilot project, you will want to start with the sample 
control objectives for the area you hâve selected, and see how many of these 
objectives are satisfied by the current Controls in place. 

Risk Assessment 

As it relates to this control objective, it is also helpful to think through in 
advance “what can go wrong.” Does the control seem to meet the stated 
objective, and is it adéquate to mitigate risks that you can think of in your 
spécifie business? Consider both fraud and simple error. A little brainstorming 
by the project team can go a long way toward identifying gaps in Controls. 
Thinking about these possible scénarios in advance can also direct you to 
documenting the right Controls, as you now know what issues the Controls 
need to be designed to address. With a properly constructed complété set 
of these control objectives, the risk of gaps appearing between the control 
objectives is narrowed, and the risk of failing to detect a design gap when 
one exists is also narrowed. 

Can the check be diverted to the bookkeeper’s account? Can inaccurate 
payments be made, leading to late charges and fees and diminished business 
crédit ratings? Failure to meet the objective could mean, for example, that 
the check could be diverted to other persons or purposes. It could also mean 
the check could be made out to or diverted to the bookkeeper’s personal 
accounts. In the absence of comparing the check to the underlying documen- 
tation and support for the expenditure, the amount or the payee could be 
incorrect. In exercising the control, the manager has the expérience of know- 
ing the normal business expenditures and the service and product suppliers, 
and the expected heat and power utility bill charges. While they are not ail 
focused on this spécifie control objective, classic fraud schemes surround 
the payment cycle. For example, more than one bookkeeper has posed as 
a vendor or supplier that submits bills for plumbing, landscaping, and other 
products and services either by setting up a dummy business or serving in the 
rôle of a contractor who then “subcontracts” the actual work at a much lower 
price, or does no work at ail. Another scheme where original documents are 
not used for authorizations is for the fraudster to resubmit an already paid 
invoice and divert one payment to a personal account. A third is a simple con- 
spiracy an insider and a provider who can propose invoice payment approval 
for deliberately overpriced services or products. The insider later splits the 


54 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


excess charges with the service or product provider. Not ail these risks are 
covered in this one control objective, and that is why numerous objectives 
are needed. 

The documented control response might be something like follows: 

Entity Control: John pro vides original documented support for each payment to 
Chuck, who compares that check and support, and initiais the support documents 
and stamps them as “Paid.” 

Chuck is exercising a control over the authorization and accuracy of the 
payment and also ensuring the check goes to the correct payee. 

This control objective does not directly address the risk of duplicate pay- 
ments and the value of stamping the original document as “Paid.” That is a 
separate control objective. Stamping the original as “Paid” and working only 
with original documents cuts the duplicate payment risk. If you can trust the 
integrity of a System of control objectives for an account or transaction cycle, 
that goes a long way to helping you focus attention on whether the design of 
the control is sufficient to prevent or detect material misstatement, whether 
from error or from fraud. The effective design of a set of control objectives 
will help ensure that the control design is effective. 

The COSO Framework released in 1992 provided some sample control 
objectives relevant to the five components. However, in the control activities 
component, the examples were more limited and focused on cash disburse- 
ments and inventory objectives. In the 2006 COSO guidance for smaller 
companies, the control objectives (called attributes 5 in this document) for 
another major cycle, revenues, were illustrated. These illustrations provide 
examples of how control objectives can be developed. Firms, software solu- 
tions, and texts such as this one may assist users in developing control 
objectives for their entity that effectively cover the general risks and issues 
their businesses face. No off-the-shelf solutions are likely to provide ail the 
control objectives and be perfect for your business, so be prepared to spend 
some time reviewing any example objectives you might hâve access to and 
adapting these to fit your business. Chapter 4 provides more guidance on 
adapting control objectives to your entity. The message here is simply that 
you must reserve some time for this start-up task in your first year project 
budget. 


5. While the relationship between control objectives and attributes is not explored directly in the 
2006 COSO guidance, I beüeve that attributes might be viewed as logical combinations of control 
objectives. A smaller number of control objectives can help consolidate effort and reduce the 
costs and complexity of documentation. However, the smaller subset of attributes will mean more 
documentation will be required for each attribute. There are trade-offs here. 


CONTROL ACTIVITES 


55 


A sample of some control attributes control objectives by account and cycle 
is provided in the appendix to Chapter 4. Other potential sources of control 
objectives include trade organizations, publications, auditors, and consultants. 
Some govemmental audit objectives are cited by the Government Account- 
ability Office (GAO) in the Financial Auditing Manual, which is posted at 
www.gao.gov. That publication contains Spécifie Control Evaluation (SCE) 
forms and Account Risk Analysis (ARA) forms. Some examples are included 
at the end of the 300 section in that document. 

The Rôle of Assertions 

Assertions are used to ensure that the web of Controls over the risks is com- 
plété. While assertions hâve been cited in the professional auditing literature 
for a long time, they hâve had varying effects on the audit approaches of 
different independent auditing firms. Starting in 2004 for audits of public 
companies and in 2007 for ail other audited entities, auditors will need to 
use assertions extensively in the documentation of the audit process to pro- 
vide linkage between assessed risks, Controls, and further audit procedures. 
Assertions hâve always been an element in the COSO Framework, and are 
particularly relevant to control activities. 

Assertions can be a useful tool from which to consider the risks in accounts, 
transactions, and disclosures that are required in financial reporting. They will 
probably be very useful to you when you are faced with situations where a 
predefined set of control objectives has not been developed, for example, 
when a particular entity activity is not one of the “classical” activities nor- 
mally undertaken by retail or manufacturing entities (e.g., the Controls around 
the securitization of a pool of mortgages of a mortgage company). 

You should commit to using assertions when documenting your Controls. 
This way you hâve a second confirmation source that the risks and issues 
hâve been addressed. The use of assertions will also help your auditor to link 
your documented procedures to the audit documentation format he or she is 
using to demonstrate his or her understanding of Controls. Documenting your 
work by assertion will save you the extra auditor service time and fees. 

The assertions that follow were adapted from the recently implemented 
AICPA literature. There are other assertion schemes out there, and you may 
use them for documenting your Controls. However, if these schemes are not 
coordinated with your auditor’ s methodology, the auditor will hâve to map 
your assertions to those used in their audit process. You may wish to ask 
your auditor in advance which assertions he or she is using, unless you hâve 
a strong preference. 


56 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


For some accounts, an assertion may be unimportant. This is true regarding 
the valuation assertion over cash when it is denominated in a single currency. 
In such a case, the valuation assertion is generally not relevant, and that can 
be explained as part of the documentation. When the translation of currencies 
is necessary to préparé financial statements, the valuation assertion is then 
relevant. 

Income Statement and Current-Period Transactions 

1. Occurrence. Recorded transactions reflect e vents that relate to the 
entity and actually occurred. 

2. Completeness. Ail transactions that should hâve been recorded hâve 
been recorded. 

3. Accuracy. Amounts and other key data relating to recorded transac- 
tions were appropriately recorded. 

4. Cutoff. Transactions were recorded in the correct accounting period. 

5. Classification. Transactions were accounted for in the proper accounts. 
Balance Sheet Accounts at Period-End 

6. Existence. Assets, liabilities, and equity interests that are recorded 
actually exist. 

7. Rights and obligations. The entity owns the assets, and the liabilities 
are obligations of the entity. 

8. Completeness. Ail assets, liabilities, and equity interests that should 
hâve been recorded hâve been recorded. 

9. Valuation and allocation. Assets, liabilities, and equity interests are 
accurately reflected in the financial statement. Any accounts requir- 
ing valuation assessments (e.g., allowances for uncollectible accounts, 
product warranty costs, etc.) or cost allocation adjustments (e.g., vari- 
ances assigned to inventory, shared costs of separately reported product 
fines) are appropriately recorded. 

Présentation and Disclosure in the Financial Statements 

10. Occurrence and rights and obligations. Transactions that were dis- 
closed actually pertain to the entity. 

11. Completeness. Ail required disclosures are made in the financial state- 
ments. 

12. Classification and understandabïlity. These assertions are derived 
from the FASB Concepts Statements, and note that the presented finan- 
cial information (including the footnotes) are appropriately described, 
and that the disclosures are clearly expressed. 


INFORMATION AND COMMUNICATION 


57 


13. Accuracy and valuation. Information in the financial statements is 
disclosed at appropriate amounts. 

Some entities and auditors simplify these 13 assertions into fewer. For 
example, the cutoff assertion is used to make sure that sales and costs are 
recorded in the proper period. The concept of the “thirty-fifth of December” 
is leaving the books open to advance transactions into the past period. In 
other cases, the transaction cutoff date occurs before it should, pushing trans- 
actions from one period to the next. Some of the risks to be considered when 
considering the importance of cutoff include: 

• Objectives to maximize reported income 

• Objectives to minimize taxes 

• Sales commission plans that create incentives to move sales from 
period to period to maximize salespeople’s income 

• Management bonus plans based on achieving certain targets 

In any case, the cutoff assertion relates to either a completeness or an 
occurrence problem. Some entities and auditors do not use it, but apply the 
two related assertions to the related transactions stream instead. 

Other entities and auditors may use only four assertions for the balance 
sheet, income statement, and disclosure applications. They are: 

1. Completeness 

2. Existence 

3. Accuracy 

4. Valuation 

As you can see, the concepts behind the 13 assertions can be shoe-homed 
into these 4, so that may be an alternative for documenting Controls. When 
using such an abbreviated version, you may need to be aware that the terms 
may be applied slightly differently in each area, but the simplification may 
still make it worth considering this approach. Again, I suggest that client and 
auditor documentation be made as synchronous as possible to facilitate an 
efficient audit and promote good communication. 


INFORMATION AND COMMUNICATION 

This next component of the framework, information and communication 
(I&C), spans several and perhaps ail of the components. This component is 
separately identified, as it is more easily assessed as a framework component 
rather than by how it impacts each other component. 


58 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


The I&C component encompasses the flow of reports and communications 
within the entity: Are the reports and communications timely, accurate, and 
complété? It would be hard to do the bookkeeping as well as the financial 
reporting and the monitoring that management does without reliance on the 
communications and reports generated by the financial accounting Systems. 

While information technology plays a significant rôle in this component 
in many larger entities, IT is discussed separately in this chapter. 

Financial Reporting 

An important aspect of I&C is the rôle of communications in assembling 
financial statements. The entire process, from the inception of the transaction 
through to the accumulation of amounts in the general ledger, can be seen 
as an I&C process. Software accomplishes the accumulation and summariza- 
tion of information for most entities, whether they use a basic System such 
as QuickBooks or an industry-specific accounting and transaction processing 
package. In many entities, information also needs to be gathered from differ- 
ent locations, divisions, or product fines and then summarized before it can 
be Consolidated into the financial report. 

Is the processing and summary of information performed on a timely and 
accurate basis? Is ail the information necessary for the statements, including 
the notes, available? Are the accounts and reports tied in together? Is the 
information accessible to those who need it to préparé the statements and 
disclosures? 

When packaged software is not used, spécial care is needed to ensure that 
an accurate summary of the data is made. Many entities use Excel spread- 
sheets somewhere in the financial reporting process, but most spreadsheets 
contain one or more errors in design or execution. Spreadsheets often fall 
short of the goals that recognized accounting packaged Systems achieve. In 
fact, there are entire Web sites devoted to tracking and reporting errors in 
spreadsheets (see www.eusprig.org/stories.htm). Billion-dollar misstatements 
in published financial reports hâve been attributed to spreadsheet errors. 

Information Flows 

Are the right people getting the right reports? Are the reports timely and 
relevant? Financial and nonfinancial information is usually communicated 
in reports in some form that employées and management use to perform 
their jobs and manage their functions or the business as a whole. While our 
focus is on financial reporting, management reports are often a mixture of 
financial and operating data that can be used together. For example, sales and 


INFORMATION AND COMMUNICATION 


59 


shipments are related, and sales and production and inventory levels hâve a 
logical relationship that can be used to identify anomalies. In a retail business 
with many stores, management may receive extensive sales and statistical 
reports about the operations at various locations for the purpose of identifying 
patterns, opportunities, and anomalies that require further attention or may 
indicate a financial statement misstatement. If those reports are not presenting 
accurate, relevant data on a timely basis, then bad business decisions will 
be made. 

There can be nothing more maddening than not having the data you need 
on a timely basis, unless it is being given information that is not relevant 
to you. The goal is the présentation of the right content to the right people, 
accurately and timely presented. 

Internai Communications 

Internai communications are essential in every entity where two or more 
persons are employed. Coordination, coopération, and communication are 
necessary to create and maintain a constructive control environment and an 
effective work environment (or you may hâve two more “C”s - confusion and 
conflict). From the top of the organizational structure down and back up again, 
broken communication chains can create misunderstandings. When financial 
transactions and financial reporting are involved, the miscommunications can 
lead to misstatements of amounts or inaccurate disclosures. 

This is a subjective area. While effective communications are hard to artic- 
ulate, it is amazing how quickly environments where internai communications 
are déficient can be identified. 

When internai communications are dépendent on one methodology such 
as e-mail, due to the distance between workers, what is Plan B if the normal 
mode of communication is not practical due to some unexpected event? The 
events of 9/1 1/2001 brought home to many New Yorkers the need to consider 
unusual situations to ensure that communications can occur. 

External Communications 

Extemal communications include those with customers, suppliers, consul- 
tants, and auditors. A lack of effective communication within or to those 
outside of the organization often is recognized fairly quickly, and if not reme- 
died, it will resuit in lost sales, lost goodwill, and other conséquences that are 
likely to lead to financial implications fairly quickly. Customer complaints 
are often a leading indicator of brewing external communication problems 
and of likely financial conséquences that will be following. 


60 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


INFORMATION TECHNOLOGY 

Information technology, like information and communication itself, has 
significant relationships to the other framework components. In control activ- 
ities, for example, the individual Controls may be automated, and software 
may be used for accounting for the financial transactions and some control 
features are part of the software (e.g., matching invoice and proposed cash 
disbursement amounts). Another aspect that relates to communications is the 
use of networks and electronic media to generate and distribute reports. In 
many entities today, monitoring is also dépendent on a form of IT to provide 
management access to needed information and data. 

An argument can be made that this topic belongs in the control activities 
component, or it can be asserted that it should be a separate component like 
I&C, which has so many tentacles into other component areas. Wherever its 
position in the framework, the important point is that the IT influence is perva- 
sive in some entities and it is less important in other entities. One-size-fits-all 
is not appropriate as an approach to documenting and assessing IT. 

In the 1992 COSO Framework guidance, relatively little was said about 
IT. By 2006 many questions were raised regarding how and by what stan- 
dards IT should be assessed. The 2006 COSO guidance provided expanded 
information in this area, but many questions still remain. For the reader inter- 
ested in a deeper under standing of the application of control objectives to the 
IT area, COBIT ( Control Objectives for Information Technology), now in its 
fourth édition, was developed by the Information Systems Audit and Control 
Association’ s (ISACA) (see www.iasca.org). COBIT enumerates a detailed 
set of control objectives tailored to the information Systems environment. 
Motivated by the need for more practical guidance to public companies in 
complying with the requirements to assess and report on the effectiveness of 
internai Controls under SOX, the IT Govemance Institute issued IT Control 
Objectives for Sarbanes Oxley, 2nd Edition (2006). Many IT professionals 
find the guidance in COBIT to be directed to a high standard, and not as prac- 
tical as the simpler guidance in the IT Governance Institute publication. Still, 
other professionals believe that even the simpler ISACA guidance is overkill 
with respect what is needed to assess IT as part of the overall assessment of 
the effectiveness of internai Controls, particularly to meet the base level of 
audit requirements where Controls are not being relied on by the auditor or 
reported on by the entity. 

There are two basic subsets of IT: applications and general Controls. 
Application Controls are those that directly relate to the software used to 
process transactions and the standing data (e.g., price lists, payroll data, and 


INFORMATION TECHNOLOGY 


product cost data) the software applications use. In simple Systems such as 
QuickBooks and in higher-end Systems such as SAP, the Controls that are 
inhérent in the software or are implemented features fall under this term. 

General Controls say something about the overall IT environment in which 
the applications lie. These aspects of IT Controls hâve a “control environment” 
component that has its own tone at the top — this time focused on the IT 
function and the tone of its environment. The four components of IT general 
Controls commonly mentioned in the literature are: 

1. Security and access 

2. Change Controls 

3. System development 

4 . Operations 

Although some of these éléments had more relevance and importance in 
older IT Systems, you hâve to gauge to what extent they apply in your cir- 
cums tances. 


Security and Access 

In my view, the security and access component is the most critical. It is also 
the element in which entity Controls are most likely to contain weaknesses. 
It was high on the list of identified deficiency areas (even when compared 
to the control activities component) in the first year of implementing audits 
of internai control, and that was for the largest and best-controlled commer- 
cial entities. The good news is that it is one of the easiest deficiencies to 
overcome. 

Security and access is what it says. Permit individuals to access ail the 
information and only the information needed to do their jobs, or as autho- 
rized by the entity. Sure, let everyone view your payroll data, no problem. 
Better yet, give people access to your System and let them initiate transac- 
tions, create employées, or change payroll data and schedule payments. Not 
only are there State and fédéral privacy laws that can expose your entity to 
significant fines for revealing personal information, but the risk of fraud and 
misstatement soars as access and security deficiencies increase. The simple 
use of passwords, the securing of the computer hardware in a restricted access 
location, and the maintenance of in formation in locked files can go a long 
way to reducing the risks in a smaller entity. It is amazing to see how many 
times passwords are pasted on notes on the side of the computer screen or 
on the pull-out desk shelf or are set to the word “password.” Don’t be so 
sure that people are not interested in your data. In any case, deficiencies are 
often easy to fix here without heroic costs or efforts. 


62 THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 

Change Controls 

In entities that use simple packaged Systems, the idea, based on past 
home-grown computer programs, that users will request program changes of 
IT départaient programmers is rapidly becoming obsolète. But in many older, 
custom-built Systems, such changes are still relevant and may be important. 
The change Controls element focuses on the initiation, approval, program- 
ming, testing, and user acceptance of changes to Systems. In the absence 
of such Controls, changes may be introduced into the System that adversely 
affect other parts of the software or may resuit in changes that increase the 
risk of fraud. A related concept that is relevant for smaller entities is the 
upgrade of the application software or migration to a new operating Sys- 
tem or platform. How does one ensure that the new program will perform 
as did the old version? Are there any data incompatibilities that need to be 
resolved? When users in smaller entities skip several updates to the soft- 
ware, simple transitions may not be possible. Imagine trying to transfer the 
data from a decade-old DOS version of Peachtree accounting software to a 
Vista-compatible Windows version in a current environment. Will it work? 
Do you know? How can you be sure? 

I once had the unfortunate expérience of new hardware making an old, 
effective software program obsolète. A statistical program, developed in the 
1970s and updated in the 1980s, started to offer challenges because modem 
printers could not “read” and print the data. The program code would hâve 
been expensive to re-create and there were no programmers available who 
were capable of reading its language, nor was there good documentation of 
the program from which to modify the application — situations not uncommon 
with legacy software. In 1999 we looked for a Windows-based replacement 
for the product. As it did not exist, we pleaded with the “Y2K police” to 
let us use the application if it passed the Y2K tests. Once it passed those 
tests, we thought we were home free. OK, so we limped through the printer 
issue, only to be confronted shortly thereafter with the program’ s inability 
to lind the extemal data because the processor speed of the new hardware 
was too fast. One solution was to deliberately retard the speed of the pro- 
cessor, an illogical solution, but the only one possible until we could corne 
up with an alternative. The lesson: Do not wait too long to upgrade your 
software. 


New Systems Development 

Again, new Systems development may pertain more to larger entities, but 
many entities change their computer Systems, accounting software, and the 


INFORMATION TECHNOLOGY 


63 


like from time to time. The idea is to make the transition safely, without 
a loss of data or function. An effective Systems development element will 
hâve a method in place to handle new Systems projects that will include 
a needs assessment, an assessment of hardware and software options, an 
implémentation approach with backups and “undo” points to safely migrate 
data, and a testing function to ensure ail Systems are go. In some cases, the 
old and new Systems will be run in parallel for some time before reliance is 
placed on the new System. 

Another hapless true story is the large service and equipment rental busi- 
ness that intended to install SAP as a Y2K-compliant replacement to an old 
company-developed System. They targeted the California operations as the 
first location for the conversion. Sounded like a sterling idea at the time. The 
company considered hiring consultants to assist in the conversion, but in a 
wave of penny-wise-and-pound-foolish thinking decided its internai IT team 
was up to the task of making the conversion. So the team attended a seminar 
on SAP and received ail the manuals and instructions and headed for the 
West Coast. Somewhere along the way, the receivables and customer data 
from the old System were lost in the conversion process near the time of the 
fiscal year-end. This caused fits, as by the time of the financial statements, 
the System still had not been restored and the entity had to décidé if it needed 
to make an extra allowance for some of the tens of millions of dollars of 
receivables it no longer had records for. The auditors were assured that the 
company could at least restore the old System. That never happened, unfor- 
tunately, and the company had to use very expensive and time-consuming 
procedures to re-create some of the data. 

Systems development is not a do-it-yourself project, and even when com- 
petent Systems people are involved, there are usually surprises and “leaming 
opportunities.” If you hâve an important project, make sure you hâve the 
technical specialist assistance you need. 

Operations 

Operations covers a number of subject areas. In the unusual case today where 
transactions are run in batches, the order of running file updates may be 
important, so glitches in running updates to files would fall under this topic. 
This element also encompasses the analysis and diagnosis of customer, sup- 
plier, or user IT complaints or annoyances to identify systematic problems of 
any nature. An effective function to report significant issues to management 
and to be able to take remédiai actions to address the immédiate situation is 
an indicator of effective operations. 


64 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


A final dimension covered by this element is the backup and disaster 
planning functions. The incidence of déficient backup policies is very high 
in many businesses. The problem here is akin to the leaky roof: When it 
is raining, the roof cannot be fixed, and when it is not raining, there is no 
problem. Backups should be regularly scheduled and the backup data secured. 

You should make a risk assessment of how critical your Systems and 
associated data are to your entity, and use that assessment to develop some 
sort of disaster and recovery plan. Fires, floods, and hurricanes happen, and 
when they happen, there is no time to develop a plan. Systems and electronic 
data are becoming more critical to the operations of every entity. 

A simple plan might only require you to secure a copy of the backup data 
and processing software offsite. More elaborate plans may hâve hardware 
backup and battery capacity to address the critical entity needs. 

One disaster story concems a thriving company that maintained leased 
equipment and software records for financial services businesses as a service 
to facilitate keeping these records updated and licenses current. Computerized 
customer records and details of the key dates relating to the software were 
the business, so fairly elaborate plans were made to make regular backups 
and retain them offsite. In addition, backup hardware and supplies were also 
maintained at the secure site, to make the System as bulletproof as practical. 
The company’ s main office in the World Trade Center was destroyed in the 
terrorist attacks of 9/11. Similarly, in a broad flooding situation like Katrina, 
locations even miles away can be at risk. Unfortunately, the secure offsite 
location for the aforementioned business was in the other building of the 
World Trade Center, which also was destroyed. You can never anticipate ail 
the possible circumstances that might happen, but you can at least cover the 
most likely problems. IT professionals can help you develop policies for your 
entity that are reasonable and affordable. 

MONITORING 

One of the more difficult concepts in the framework to operationalize is the 
monitoring component. In the view of the COSO, in order to hâve effective 
internai control over financial reporting, an entity should monitor its Controls 
throughout the period. In the integrated framework, you can easily see how 
monitoring interacts with information and communications because manage- 
ment often uses reports to monitor control operations or to identify exceptions 
to Controls, such as from a computer exception report. 

The monitoring might be continuous or periodic. It might also be embed- 
ded in a software application, such as a three-way match of the purchase 


MONiTORING 


65 


order, receiving report, and disbursement as a part of the software, or it 
might be exercised by management observing and/or testing manual Controls 
on a periodic basis. 

In smaller entities, the control activities and the monitoring components 
sometimes become confused because the layers of supervision and workers 
are not présent. With a bookkeeper and a management supervisor, what the 
manager does to ensure correct processing of transactions and préparation 
of the financial statements is often the control. The monitoring that some 
are likely to identify in small-entity situations is really the control itself. 
If management reviews summary reports of sales and production statistics, 
is that monitoring, or is it the control? It dépends. If there are numerous 
Controls over the underlying reported numbers, then that additional layer of 
management scrutiny is monitoring. If not, then the monitoring aspect is 
really just a high-level control, and it may not be that effective in iden- 
tifying and correcting smaller misstatements that could aggregate to larger 
misstatements. Monitoring should be applied to Controls, and it will often 
not be considered monitoring if it is applied directly to processes; then it is 
probably the control. Some ways that smaller entities hâve coped with this 
is to hâve owners become more involved in the Controls and operations. In 
other cases, part-time accountants from local or smaller practices hâve been 
hired to serve a quasi-intemal audit fonction, supporting owners and senior 
personnel. In other cases, more computerized Controls over transactions may 
offer an opportunity to hâve the monitoring performed by other employées 
or management, since the control is being pushed down to the automated 
level. In some smaller entities, some employées cross-check each other’ s 
work as a control. Self-assessment is OK, but management needs to under- 
stand how difficult it is to verify your own work and probably should not rely 
extensively on this. Unfortunately, the framework says that the independent 
auditor should not be part of a client’ s internai control; thus, the independent 
auditor’s work should not be relied on as a monitoring control. 

Monitoring and checking using objective and competent persons (not 
“self-assessment”) will often also help to better control auditing costs, as 
independent auditors may be able to rely to some extent on these internai 
procedures, and not hâve to perform them or perform as many of them in 
connection with the audit. 

Because of the difficulty in understanding monitoring as a concept, and 
in particular how it applies in smaller entities with few layers of person- 
nel, the COSO commissioned further study on this topic in 2007. The lead 
resource in that study is Grant Thornton, LLP. Because the next wave of 


66 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


public companies scheduled to report on internai Controls starting in 2007 is 
less structured and many do not hâve an internai audit function, the timeli- 
ness of clarifications and implémentation tips and guidance is critical. While 
public companies may be a focus, the research may help in clarifying this 
component for ail companies. 

The concept of monitoring is that management should hâve a mechanism to 
monitor the puise of the business and its reporting. Circumstances change ail 
the time. Most entities need to be aware of extemal and internai changes that 
are happening, as many hâve financial reporting or disclosure implications. 

Controls documentation should be in place so that the monitor understands 
the control that is being overseen. It is very hard to check the effective 
operation of something that is not well defined, and proper documentation 
helps the auditor and management détermine the best way to test that the 
control continues to operate as designed. 

Sample sizes (for testing spécifie Controls) and the frequency of monitoring 
are judgments that entities need to make, consistent with the size, complex- 
ity, and extent of exposures in an entity (see the section in this chapter titled 
“Risk Assessment”). When most processes and Controls are automated, and 
IT general Controls are effective, then procedures might not need to be as 
extensive regarding control activities. In an environment where manual Con- 
trols predominate, more items and more frequent testing of those Controls 
are likely warranted to ensure continued quality. Further guidance on sample 
sizes is provided in chapter 6 of this book. 

In the monitoring process, entities will encounter deficiencies and excep- 
tions. They are inévitable. Chapter 7 provides further assistance in identifying 
and assessing the severity of deficiencies encountered in design or operation. 
Top management needs to be informed of issues encountered that could resuit 
in a material misstatement or could, in combination with other misstatements, 
lead to a material misstatement. 

It is also désirable to inform the independent auditors of significant con- 
trol findings. In fact, such a communication is required in PCAOB audits of 
internai control, but it is highly désirable in ail circumstances. In order to 
perform an effective audit, auditors may need to design tests to compensate 
for the lack of control effectiveness in a certain period. That includes situa- 
tions where the ineffectiveness is remediated before the auditor arrives. The 
auditor needs to know that the control was ineffective for part of the period. 
Often, even if not disclosed, the auditor finds out about the ineffectiveness 
through employée interviews and testing; then he or she may need to make 
costly changes in the audit plan to compensate for the deficiency. Candid 


MONiTORING 


67 


disclosure up front provides the best basis for auditor relations and for greater 
audit efficiency. 

Note that the concept of assessing the severity of a deficiency is that it 
could lead to, not did resuit in a material weakness or material misstatement. 
It is difficult for auditors and management to recognize that a control defi- 
ciency needs to be assigned a severity rating that reflects what could happen, 
not what did happen. Maybe the door to the warehouse was unlocked and 
wide open ail year, and no losses occurred. That does not lessen the severity 
of the physical security weakness, since it could hâve resulted in a misstate- 
ment or a loss, the magnitude of which may be limited to the value of what 
the warehouse contained. A lack of Controls over cash disbursements means 
that a very material volume of dollars is potentially at risk and the deficiency 
is probably going to be severe in nature. 

Evidence of Monitoring Controls 

Particularly troublesome in the area of monitoring, but a general problem 
associated with Controls and the auditor rôle is the issue of whether évi- 
dence exists that the control was performed. The COSO Framework accepts 
the premise that Controls could be operating, even though there may be no 
evidence of their operation. And indeed this is a common problem in real 
companies where management indicates they performed the monitoring, but 
there is no evidence that the auditor can see that the monitoring control 
operated. Suppose we are talking about the review of a bank réconciliation 
by the treasurer several times a year to ensure the procedure is being per- 
formed. Suppose the checking was done in February, May, and September, 
but there is no evidence that it was performed. What record is kept to support 
the assertion that this component of effective internai control operated as it 
should hâve? And that’ s the point. Management and the independent auditor 
need to see such records of performance to verify that the control took place. 
Creating such evidence is easy to accomplish, and the lack of evidence is 
often a source of friction when auditors are asked to rely solely on oral rep- 
résentations to support their conclusions. Frankly, auditors are asked to go 
beyond oral représentations in seeking evidence, but sometimes that may be 
ail that is available. 

This problem is generally pretty easy to fix. I suspect résistance develops 
due to defensiveness and frustration arising from the eleventh-hour discovery 
that evidence is not available. Here are some simple sources of evidence to 
support oral evidence about a control operation. In most cases, it takes just a 


68 


THE FIVE COMPONENTS OF THE CONTROLS FRAMEWORK 


second to perform the step, and, even though annoying, it does not hâve to 
be a great burden. 

• Place a spécial stamp with the date on the original document reviewed. 

• Initial and date the original document. 

• Keep a checklist of procedures and initialing and dating as performed. 

• Add a mémo to the files. 

• Préparé committee meeting minutes with lists of follow-up items. 

• Archive e-mails discussing the activity and its scheduling and results. 

• Complété a testing form for each test of the control. 

• Specify completion of the activity in time records. 

A little forethought is very helpful in creating such evidence, which reduces 
a source of friction between management and the auditor and which créâtes 
a clearer record of performance. 


Appendix 3A 

Blue Ribbon Committee on 
Improving the Effectiveness of 
Corporate Audit Committees 


SUMMARY OF RECOMMENDATIONS 

While these recommendations were specifically designed for listed public 
companies, many hâve implications for the govemance of private, not-for- 
profit, and govemment entities. 

1. The NYSE and NASD should adopt strict définitions of independence 
for directors serving on audit com mi ttees of listed companies. 

2. The NYSE and NASD should require larger companies to hâve audit 
com mi ttees composed entirely of independent directors. 

3. The NYSE and NASD should require larger companies to hâve finan- 
cially literate directors on their audit com mi ttees. 

4 . The NYSE and NASD should require each company to adopt a formai 
audit committee charter and to review its adequacy annually. 

5. The SEC should require each company to disclose in its proxy state- 
ment whether it has adopted an audit committee charter as well as 
other information. 

6. Each NYSE and NASD listed company should State in the audit com- 
mittee charter that the outside auditor is ultimately accountable to the 
board of directors and the audit com mi ttee. 

7. Ail NYSE and NASD listed companies should ensure their charters 
mandate that their audit com mi ttees communicate with the outside 


69 


70 BLUE RIBBON COMMUTEE ON IMPROVING THE EFFECTIVENESS 

auditors about independence issues, in accordance with ISB. 1 The 
PCAOB has its own independence standards for public companies 
and the AICPA has independence standards for private companies. 
The GAO, Department of Labor and other agencies hâve other spécifie 
standards that apply to entities they oversee or regulate régulations. 

8. GAAS should require that the outside auditor discuss with the audit 
committee the quality not just the acceptability of the accounting prin- 
ciples used. 

9. The SEC should require the annual report to include a letter from the 
audit committee clarifying that it has reviewed the audited financial 
statements with management as well as performed other tasks. 

10 . The SEC should require the outside auditor to perform an intérim 
review under SAS no. 71, Intérim Financial Information, before a 
company files its form 10-Q. 

The full report (76 pages) can be obtained from the website: www.nasdaq 
.com/about/Blue_Ribbon_Panel.pdf 


1. The ISB (Independence Standards Board) was disbanded in 2003. 


4 

Documenting Internal 
Controls using A Framework 


MANY WAYS TO DOCUMENT 

There are various approaches to documenting processes and Controls. Com- 
mon ones include narratives, flowcharts, checklists, manuals of procedures, 
combinations of these approaches, and control matrices. Each of these app- 
roaches has advocates as well as strengths and weaknesses. Your entity may 
already hâve one or more of these methods in use (or in the files) currently. 
In the smaller entity, the existing source (if there is anything) is likely to 
be a procedures manual that covers a wide variety of subject matter and 
may include certain accounting procedures and practices, such as when are 
checks required to hâve two approvals. Such a manual may also cover human 
resource (HR) issues (e.g., hiring practices, forms, performance évaluations, 
etc) and other practices. The content of company manuals is relevant to 
Controls over financial reporting. In the COSO (Committee of Sponsoring 
Organizations) Framework, HR issues and practices are part of the control 
environment. As we proceed, you will be surprised at the breadth of issues 
that can and do affect financial reporting. 

Before initiating the project, it helps to know what tools and practice aids are 
now available to meet the current expectations regarding documenting Controls. 

PURPOSE OF DOCUMENTING FINANCIAL 
REPORTING CONTROLS 

Controls are documented for a variety of reasons: 

• The documentation provides a baseline for new employées to under- 
stand their responsibilities, how things work, and how their jobs relate 


71 


72 DOCUMENTING INTERNAL CONTROLS USING A FRAMEWORK 

to other positions. When employées leave, retire, or are discharged, 
there may not be a sufficient overlap between the departing and new 
employée to communicate ail the duties — things are left out of the 
conversation or are simply not understood. It is common for incoming 
employées not to hâve ail the information necessary to do their job 
from day one. 

• It helps to use documentation when confirming that certain procedures 
and processes hâve not changed over time and when documenting what 
changes hâve occurred (intentional or accidentai) over time. 

• Documentation provides management and the auditor with a method to 
identify gaps in Controls that could lead to accounting errors or fraud 
and to identify possible mitigating Controls to prevent future problems. 

• Monitoring, an essential component of internai Controls, cannot be 
effective if the Controls over which the monitoring is occurring are 
not clearly articulated. 

New auditing requirements for ail companies make it clear that a lack of 
financial reporting Controls documentation is itself a control deficiency for 
an audited entity. A lack of documentation may require the auditor to com- 
municate this in a letter to management and those charged with govemance 
as a significant deficiency or a material weakness. In addition, the Internai 
Revenue Service or other régulations State that many not-for-profit and gov- 
emment entities must hâve adéquate procedures documentation. Not-for-profit 
entities should check with their attorneys and national organizations con- 
ceming their liability regarding maintaining and retaining adéquate books 
and records, as failure to do so may resuit in a loss of any favored tax 
status. 

Many auditors of large public companies, after performing the required 
procedures to assess their clients’ internai Controls, noted how much better 
they understood their clients and their business. Management had similar 
observations after performing documentations and assessment . 1 A significant 
number of issues were identified and remediated by these large, supposedly 
well-controlled entities when they looked carefully at their Controls. This is 
testament to the value of knowing, in detail, how the business works and what 
gaps need to be closed to prevent the kind of mistakes that waste management 
energies and raise audit costs. 


1. S. Wagner and N. Dittmar, “The Unexpected Benefits of Sarbanes-Oxley,” Harvard Business 
Review (April 2006): 133-140. 


VALUE OF CARE IN DOCUMENTATION 


73 


Auditor Guidance 

Auditors of nonpublic entities should consider the requirements of SAS No. 109, 
Understanding the Entity, and SAS No. 103, Audit Documentation , which requires 
the documentation of the: 

• Procedures performed 

• Evidence examined 

• Conclusions reached 

When audited entities hâve prepared and maintained their own Controls documenta- 
tion and retain that information, auditors may not need to retain ail that information. 
In such cases, auditors can simply référencé the client documentation in conjunction 
with their procedures. The audit work papers should contain sufficient information 
to demonstrate the auditor's understanding of the System of internai Controls. At a 
minimum, this needs to cover the design of the Controls and obtaining some evidence 
that the control really is in place. 


VALUE OF CARE IN DOCUMENTATION 

It may be that in the first year of documenting and assessing financial report- 
ing Controls, you corne under time, resource, or other constraints that limit 
your ability to do ail that you want to do in the way you want to do it. While 
this is understandable, a lesson leamed by many is that doing the absolute 
minimum to scrape by that first year leads to mistakes, poor documentation 
that is impractical to maintain, and just defers the task a short while. In 
essence, you waste your current time and money. 

The task of documenting processes and Controls, if done correctly, has 
continuing value. Relatively little annual maintenance will be required to 
confirm and update good quality documentation for most entities. For those 
entities not required to report on their internai Controls, it is a far better 
strategy to target their most significant transaction processes, such as rev- 
enues, expenses, and payroll, and do those areas well, and at least provide 
some talking points on some of the other areas where there is less activity, 
such as by drafting parts of an accounting or procedures manual. Over time, 
COSO-based documentation can be completed to address these other areas, 
but rather than do a broad number of areas poorly, do a few well. 

According to auditing standards, those entities not reporting on their inter- 
nai Controls do not hâve to analyze ail processes and transaction streams for 
effective design, simply the main ones. Of course, the main ones will vary 
by entity and industry, so you may want to hâve a conversation with your 


74 


DOCUMENTING INTERNAL CONTROLS USING A FRAMEWORK 


independent auditor and corne to a meeting of the minds regarding what those 
processes and streams are for your entity. 


FORMATS AND TOOLS FOR DOCUMENTING CONTROLS 

The most common format for documenting and capturing Controls documen- 
tation in use today involves the use of Excel and Word-based templates. When 
the Sarbanes-Oxley Act of 2002 (SOX) demanded that entities and auditors 
report on internai Controls starting in 2004, the most expédient method of 
creating COSO-like formats for documenting Controls was to set up Excel 
and Word templates. Indeed, even in 2007 these templates are in wide use in 
the “big four” accounting firms and most corporations. The market for more 
formai software that was expected to develop remains mostly unaddressed 
in 2007. The continuing déferrais of effective dates and other uncertainties 
regarding the implémentation of SOX in smaller public companies appears to 
hâve dissuaded some major commercial software vendors from entering the 
Controls documentation marketplace prior to 2007. Those programs and tool 
kits that were released for commercial use in the early days of SOX were 
oriented to large entities and were relatively expensive and complex. In addi- 
tion, the newness of the American Institute of Certified Public Accountants 
(AICPA) standards for nonpublic companies has not solidified a vision for 
the needs of over 350,000 entities that are not publicly reporting on Controls, 
but are receiving audit reports. Furthermore, most commercial Controls doc- 
umentation products are clearly SOX oriented and may be less appropriate 
for not- for-profit, private, and govemment documentation assignments, where 
the SOX rules do not apply. 

Readers should be alert for new software announcements for products 
designed for Controls documentation, as entities in both the public and non- 
public marketplace are seeking tools for Controls documentation, and addi- 
tional product offerings are likely to follow. 2 

Spreadsheets 

In general, developing your own spreadsheet templates can be very time- 
consuming. The advantage is, of course, that the medium is readily available 
and familiar to many users. The disadvantage is that spreadsheets may be 


2. In 2007, The Cobre Group (www.cobre.com) announced ControlsDoc™, a software product for 
SOX and non-SOX Controls documentation using COSO principles, and designed for use by 
entities and auditors or by both. 


FORMATS AND TOOLS FOR DOCUMENTING CONTROLS 


75 


difficult to control in terms of development, updating, and archiving. Strong 
procedures surrounding their development and use need to be put in place 
so that the results of the documentation efforts are carefully captured and 
are preserved from year to year. Most of these procedures are likely to be 
manual ones. The next section on software, présents points of considération 
in determining the nature and types of Controls and design features you might 
need if you considering software or are planning to go it alone. 

Furthermore, you are likely to be on your own in developing many 
of the control objectives for individual accounts in your financial state- 
ments, as COSO has not published sample control objectives for many 
detailed accounts. The 2006 COSO guidance provided illustrations of detailed 
attributes (also termed control objectives) for revenues, and the 1992 COSO 
Framework illustrated purchasing and inventory control objectives. The many 
other transaction streams and account balances were not addressed in this 
guidance. However, existing COSO guidance may be useful in drafting con- 
trol objectives for the control environment, risk assessment, and monitoring. 
You should plan to tailor any generic attributes or control objectives to con- 
form to the terminology you use in your business. A section later in this 
chapter, Developing Custom Control Objectives, gives guidance on how you 
can draft control objectives for spécifie accounts where generic, suggested 
control objectives may not be relevant or available to you. 

In 2006 the COSO released a Word-based version of the templates illus- 
trated in Volume 3 of Guidance for Smaller Public Companies. This may help 
companies to develop such templates for internai use or training. When you 
purchase a copy of the 2006 COSO guidance, these tools are provided. While 
links to the COSO document are available from sponsoring organization Web 
sites (e.g., AICPA, Institutue of Internai Auditors — IIA, Financial Executives 
Institute — FEI, Institute of Management Accountants — IMA), the links are 
ail fulfilled through the AICPA Web site, www.cpa2biz.com. 

Whether documentation project managers and key team members are inter- 
ested in the templates or not, I recommend that they become familiar with the 
2006 COSO guidance and examples, even though many of the same points 
are covered (and often in more detail) in this book. While the title of the 
guidance says “smaller public companies,” many of the points in the 2006 
COSO guidance are fully applicable to entities that are not public companies. 

Software 

If you do not care to invest weeks of time and effort in developing home- 
made templates for Controls documentation, you may look for some software 


76 


DOCUMENTING INTERNAL CONTROLS USING A FRAMEWORK 


that can assist you in this process. Software can help structure your infor- 
mation gathering, but it is still necessary to understand the COSO control 
concepts before beginning your work, or the software product will likely be 
disappointing, even if the product is well designed. 

While there are a number of products in the marketplace for documenting 
Controls, you need to consider your project purpose first. If you intend to 
develop documentation to support an auditor’s report on your internai Con- 
trols, a software product designed for SOX applications may be appropriate to 
your purpose. The level of entity Controls documentation necessary to support 
an AICPA AT 501 report on internai Controls is not intended to be differ- 
ent from that required under the SOX requirements, and thus both purposes 
may be served with a SOX-oriented product. However, if your purpose is 
simply to meet the documentation requirements necessary for audit purposes, 
and not necessarily to report on Controls, you may seek software specifically 
designed for this purpose or that is scalable to your needs. 

Entities outside the United States may wish to reference local auditing 
or regulatory standards to identify required spécifications. For example, in 
countries complying with the International Fédération of Accountants (IFA) 
auditing standards, International Standards of Auditing (ISA) 315 and ISA 
330 contain similar provisions to the AICPA’s SAS No. 109 for U.S. auditors, 
and products designed for AICPA standards may meet the IFAC requirements 
also. If entities outside the United States need to comply with SOX standards 
because they are part of a Consolidated group requiring such reporting, a 
SOX-oriented product may be most appropriate. 

Besides taking your documentation needs into account, you must bear in 
mind some other software considérations. When selecting software for doc- 
umentation purposes, you may want to check with your independent auditor, 
documentation consultant, or internai resources. However, in the end you 
should make your own choice. Also bear in mind the points that follow (which 
are listed in Appendix 4A in a form that makes comparison of products and 
features easier). 

• Vendor and réputation. Of course, you should consider how long the 
vendor has been in business and its réputation in the software market- 
place. Since the needs for this spécifie type of software are fairly recent, 
the vendor’ s total software expérience, not just the period of time the 
spécifie software has been on the market, should be considered. 

• Compatibility with hardware, networks, and operating Systems. If you 
are a Mac shop, a PC-designed product may or may not work as 
well (or at ail) in your environment. Different operating Systems and 


FORMATS AND TOOLS FOR DOCUMENTING CONTROLS 


77 


hardware environments can affect the way some software functions 
behave. When choosing a product, consider whether the software is 
intended to be installed on a network and if it needs to accommodate 
multiple users. 

Scalability for current and future needs. While today you may think 
you are interested only in meeting the minimum documentation re- 
quirements for your entity, your future needs may change (e.g., pri- 
vate companies sometimes go public, not-for-profit boards may desire 
their entity to report on internai Controls, and govemments may require 
govemmental entities to report on internai Controls). Does the product 
hâve the capability to meet foreseeable future needs yet be serviceable 
at a lower scale today? It is expensive to overhaul existing docu- 
mentation and re-create it in a new software product. Once you hâve 
invested time and money in a product, migrating to a new tool or 
product becomes expensive. 

Compatibïlity with the COSO Framework (or other Controls). As 
noted, the COSO Framework is the most commonly recognized and 
used framework. While it may hâve imperfections, no other framework 
has emerged as a clear solution to any perceived implémentation diffi- 
culties. That does not mean another might not emerge. Indeed, it seems 
likely that someday some group will develop an industry-specific 
framework (e.g., financial services, real estate companies, etc.) more 
applicable to that industry than the generic COSO Framework. Nev- 
ertheless, the COSO Framework remains the 500-pound gorilla in the 
regulatory environment today. By ensuring that the software product 
is rooted in or is compatible with the COSO formats and content, you 
are more likely to be in sync with your independent auditors, regula- 
tors, and others who may view or review your Controls documentation. 
That synchronization will keep costs under better control and facilitate 
communication. 

Supports multiple-person use and access. If multiple-person access to 
the documentation project is required, make sure the software sup- 
ports this. Whether the product résides on PCs or networks, or is 
Intemet-based, you must consider who needs to hâve access to what 
and when in your spécifications. 

Security. Security and access are important for effective internai Con- 
trols over accounting software. How will you control access to the 
Controls documentation software? Do you need to be able to permit 
some people access to enter data in certain modules and deny access 


78 


DOCUMENTING INTERNAL CONTROLS USING A FRAMEWORK 


to their changing data in other modules? This feature can be helpful in 
making sure the program maintains data integrity of and that multiple 
users do not accidentally overwrite information in the System. Can a 
“read-only” version of the documentation be produced so that third 
parties can safely read and review what has been documented without 
accidentally changing the content of the underlying data? 

Archiving. How does the software product archive a final version of 
the documentation for rétention in accordance with any legal or reg- 
ulatory requirements? Under AICPA standards, audit documentation 
(and presumably company documentation on which the audit is based) 
should be retained for at least five years, unless State statutes require 
a longer rétention period. Auditors of public companies are required 
to maintain audit documentation for at least seven years, and com- 
panies presumably should also retain documentation. Consult with 
your attorney, tax advisor, or regulatory body concerning any spé- 
cifie requirements that may relate to record-keeping rétention rules for 
your entity. When entities do not hâve a documentation rétention pol- 
icy and may not retain Controls documentation, the auditor still will 
find it necessary to demonstrate his or her understanding of the Controls 
to support the audit. Consequently, the auditor may need to gather and 
retain more information for his or her documentation purposes. More 
work means higher audit bills. So the failure of entities to document 
Controls may make it important, 

AvailabilityAicensing to third-party reviewers. Is a product license or 
some spécial reader program necessary for a third party to read the 
Controls documentation during the required rétention period? In the 
early days of SOX, some software products designed to help compli- 
ance required a license to view any of the Controls documentation. This 
became an unpopular aspect of the business plan for these products, 
given the need for peer review, inspection, and auditor viewing needs 
and the costs of these licenses (e.g., some well over $10,000). 

Ability to handle multiple location and multiple divisions or seg- 
ments. If you hâve a complex entity, can a single product be used for 
your entity, or is the functionality more limited? Even some smaller 
entities often hâve multiple revenue sources and expenditure processes 
or multiple locations that may share some Controls with other locations 
and not others. For example, universities may hâve separate revenue 
procedures for billing and processing undergraduate day school pro- 
gram tuition, graduate school tuition, night school tuition, and distance 


FORMATS AND TOOLS FOR DOCUMENTING CONTROLS 


79 


éducation degree and certificate programs. They may also hâve fees 
that are collected and a separate source of incoming funds for grants 
and endowments. Can the software product be right-sized to accom- 
modate ail these needs? 

Ability to import and export data. Does the software hâve the abil- 
ity to import and export data to, say, Word or Excel, or the ability 
to attach existing extemal documents in various formats to the Con- 
trols documentation (e.g., Word, Excel, Visio, Adobe)? If considérable 
information is already available in a different format, how difficult will 
it be to get that information into the software or attach it to the docu- 
mentation in lieu of reformatting it or retyping it? Cut/copy and paste 
is generally a basic minimum capability needed to avoid extensive 
re-creation of the data in a different format. 

Templates or formatted formsfor spécial situations. Does the software 
recognize and assist in the documentation of Controls in situations 
where additional due diligence may be necessary? For example, many 
companies today use service organizations to process their payroll. 
Others outsource a number of functions, such as IT System mainte- 
nance, to third parties. Is any considération of these common working 
practices built into the software or formatted forms? 

Report génération. What reports (other than the standard “print” func- 
tion associated with a document) can be generated by the software, and 
are these reports useful to your purpose? Can the software assemble 
a report of only significant deficiencies and or material weaknesses? 
Can it group deficiencies by COSO component (to assist in identifying 
aggregations of deficiencies that may indicate more severe issues)? 
Status reporting. Does the software help you keep track of project 
progress? Does it help you identify what has been completed and 
reviewed, and when these tasks were performed? 

Rollover capability. How does the software help you start fresh next 
year and keep relevant information and discard old information on 
the forms and templates? How are you able to tell when a screen is 
updated from a prior year? 

Help. Does the software contain help in operating the software as well 
as the subject matter of Controls documentation? Is there training or 
orientation material? 

Price. Is the software cost-justified? Evaluate the functions and fea- 
tures relative to the price. Consider how the software is licensed and 
what the net cost will be to your organization in terms of initial price. 


DOCUMENTING INTERNAL CONTROLS USING A FRAMEWORK 


Include any maintenance or annual renewal fees in your cost esti- 
mâtes. 

• Maintenance and upgrades. Is the vendor committed to maintaining 
and enhancing the product? Does the software license expire at a spé- 
cifie date if maintenance is not purchased? Maintenance and support 
contracts generally require an additional charge. A standard charge for 
many software programs is in the range of 15% to 20% of list price. 
How will major new releases of the product be sold? 

• Service and support. Is a mechanism available to hâve questions an- 
swered or problems solved by the vendor? These questions would gen- 
erally be limited to ones about the software and its operation. Content 
questions about what to document or what is needed to satisfy spécifie 
régulations or rules constitutes Consulting advice and is not generally 
included in maintenance or available through a software vendor. 

These considérations can assist you in the design of your templates or in 
assessing software alternatives that are available in the marketplace. 


FORMATS AND TEMPLATES, MATRICES AND FORMS 

The 1992 COSO Framework and the 2006 guidance illustrated the use of a 
matrix format for aligning the control objectives (attributes) with the control 
procedures, assertions, and assessed risks associated with the control objec- 
tive or attribute. Most templates developed since the imposition of the SOX 
requirements, such as the 2006 AICPA Audit Guide, Assessing and Respond- 
ing to Audit Risk in a Financial Statement, illustrate the use of such a format 
for documenting Controls. Exhibit 4.1 provides an example of a control matrix 
format from the 1992 and 2006 COSO documents. 

Key to the Illustration 

• Control Objectives were to be identified in the left column. 

• 0,F,C referred to whether the control was operating, financial or com- 
pliance in nature. In the current reporting focus, only the Controls with 
financial reporting implications are of immédiate interest. 

• The Risk Analysis section was designed to contain an assessment of 
what could go wrong, as well as the likelihood of that happening. 

In addition, further documentation columns were suggested in the guidance: 

• Actions/Control Activities/Comments was set out as a place to docu- 
ment the Controls and processes that achieved the objective and also 
addressed the identified risks. 


FORMATS AND TEMPLATES, MATRICES AND FORMS 


Risk Assessment and Control Activités Worksheet 

Activity: 



Objectives 0,F,C Risk Factors Likelihood 


Exhibit4.1 1992 COSO Internal Control-Integrated Framework: Evaluation Tools 
(pages 42 and 43) 




sa. 




Exhibit 4.2 2006 COSO Internal Control over Financial Reporting — Guidance for 
Smaller Public Companies (page 48 — Revenues) 


• Other Objectives AJfected facilitated the documentation of Controls 
with multiple dimensions and relationships to other Controls 

• Evaluation and Conclusion provided a space to summarize conclu- 
sions. 

Over time, the financial focus of accounting and auditing applications 
transformed the 0,F,C box into a place for recording the relevant financial 
reporting assertions, as can be seen in Exhibit 4.2, the format illustrated in 
the 2006 COSO guidance. 

Key to the Illustrations 

• Financial Statement Assertion. The control objective/attribute and fi- 
nancial statement assertion are shown combined in the first column. 

• Risk. What can go wrong is considered in the second column. 


82 DOCUMENTING INTERNAL CONTROLS USING A FRAMEWORK 

• Process-level Control. This is where one would document the Controls 
and processes that achieve the objectives and address the identified 
risks. 

• Preventive/Detective. This section documents whether the control is 
préventive or détective. 

• Manual/Automated. This section documents whether the control is 
manual or automated. 

Part II 

• Entity Level. This section lists those Controls that operate across the 
entity. 

• Process Level. Here are listed those Controls that relate to the detailed 
assessments, such as for revenues and expenses. 

• Design Effectiveness. The assessment of design effectiveness is stated 
here. 

• Summary Evidence of Control. The results of tests or walk-throughs 
are documented here. 

• Operating Effectiveness Regarding Principles. An assessment of oper- 
ating effectiveness goes here. 

While slightly different in présentation, both formats provide a structure in 
which to document Controls effectiveness that is clearly different from nar- 
rative or flowchart approaches. Clearly, the suggested approach does not 
illustrate the yes/no mentality of a checklist, where the existence or the 
absence of a control has some implied implication for assessment. Rather, 
the approaches illustrate and assess how the Controls and procedures in 
place address the objectives, risks, and assertions. That is the heart of a 
COSO-based approach to documentation. 

When documenting processes and Controls, complexities can arise that 
may discourage the use of longitudinal matrices. For example, how should 
information on outsourced activities be integrated? Should there be a space to 
document walk-throughs or sample tests? Users of these forms and templates 
could continue to add columns to accommodate sample plans and results and 
various permutations and combinations of issues that relate to a control, but 
then the format becomes unwieldy and difficult to follow. 

The appendix to this book présents a not-for-profit case study that illustrâtes 
the use of control matrices in documenting and assessing some of the Controls 
in a smaller organization. 

Another approach that gets to the same place may be the use of a form 
with the same information gathered in a vertical format, which may facilitate 


DEVELOPING CUSTOM CONTROL OBJECTIVES 


83 



Exhibit 4.3 Formatted Information-Gathering Form 

Source : Used with permission of The Cobre Group, Mountain Lakes, NJ. 


scrolling within the control objective or attribute. Exhibit 4.3 shows a Controls 
documentation partial data-capture screen that uses such a format. 

While the précisé format followed in documenting Controls may not be the 
critical issue, the ability to gather relevant information and relate the entity 
Controls to control objectives will help ensure a quality application. 

DEVELOPING CUSTOM CONTROL OBJECTIVES 

In ail but the most typical, simple entities, you will need to customize the 
sample control objectives that are available from COSO or other sources. 
Peer businesses, trade groups, and business associations may be resources 
to help you identify a set of control objectives more tailored to your needs 
than the more commonly available generic objectives. Unfortunately, the near 
panic that developed surrounding the initial wave of Controls documentation 
in connection with implementing reporting on internai Controls in 2004 did 
not resuit in careful development of control objectives, and many entities and 
auditors used generic control objectives for their documentation with little or 
no customization. In the next year, they often repeated the path adopted in 
year 1 with little progress. Over time, presumably various industry groups will 


84 


DOCUMENTING INTERNAL CONTROLS USING A FRAMEWORK 


give this more considered thought. As COSO is the developer of a conceptual 
framework, it might not be the most likely source for industry-specific control 
objectives in the near future. In the meantime we hâve to improvise. 

The way to improvise is to identify and understand the spécifie cycle of 
transactions, how they are initiated and processed, what accounts are affected, 
and how the cycle relates to the published financial statements. Is the flow 
related to revenues, expenses, spécifie balances? Knowing this may lead you 
to a relevant set of control objectives that can be adapted to the circumstances. 
For example, while purchase orders may be used for most business purchases, 
how are occasional cost reimbursements to employées for purchases handled? 
Some entities, in lieu of incurring certain costs directly, reimburse employées 
for expenses and purchases. How different is this from a traditional disburse- 
ment/expense transaction? Well, perhaps it is just an inversion of when the 
transaction is authorized to be recorded. Instead of requiring an authoriza- 
tion up front for such expenses, instead such purchases may be authorized 
at the time of the expense submission or before payment. Direct company 
crédit card purchases may be authorized after the expenditure, but they still 
need to be checked so that personal expenses are not commingled with busi- 
ness purchases. Although many companies hâve policies prohibiting personal 
expenses from being charged on company cards, post-expenditure reviews of 
transactions are often well advised as a check on that policy and to ensure 
that the transactions are properly classified in the accounts. 

Industry circumstances may create a transaction cycle that just does not 
seem to fit any of the sample cycle objectives well. Often it will be a trans- 
action cycle that relates more to a flow of transactions than to just a balance. 
In such cases, you can develop a sample of control objectives by: 

• Understanding the transaction cycle and the process, from the inception 
of the transaction to the recording in the financial statements 

• Identifying the risks associated with the transactions in this process, 
including any risks of fraud or excessive costs 

• Developing control objectives around the general financial statement 
assertions related to the income statement and over the identified risks. 
The AICPA transaction assertions include: 

o Occurrence (and authorization) 
q Accuracy 
q Completeness 

q Cutoff (recorded in the correct period) 
q Classification (in the financial statements) 


DEVELOPING CUSTOM CONTROL OBJECTIVES 


85 


In addition, you will need to consider whether any spécial segregation-of- 
duties issues relate to the cycle and whether any issues regarding to the secu- 
rity of and access to data files may be needed in processing the transaction. Is 
there a risk that a person can initiate a transaction and approve and process it 
within the cycle and divert the payment or recording to personal advantage? 
Can recording a contract as a sale before it really was a sale (e.g., recogniz- 
ing revenue before generally accepted accounting principles would permit) 
resuit in a commission to a salesperson that is greater than if recorded in 
another period? Does the salesperson hâve influence over or control of when 
the transaction is recognized for accounting purposes? 

Furthermore, there is always a need to consider whether there are any soft- 
ware applications or spreadsheets associated with the transaction in addition 
to the other normal aspects of any control. Spécial transactions often call for 
spécial software and user tools, such as spreadsheets and supporting sched- 
ules and documents, since, by its nature, the transaction cycle is not part of 
the main accounting processing System. 

While the process of developing custom Controls may seem cumbersome, 
it is generally a one-time exercise, since next year you can use the customized 
control objectives and identified risks in confirming continued operation of 
the Controls. If you do find lists of control objectives somewhere, say on the 
internet, how do you know that they relate to the spécifie types of risks your 
entity faces. How complété and well developed are they? Do they cover ail 
of the processes? Use the listed transaction assertions and the ségrégation of 
duties and data file suggestions as a litmus test for whether such acquired 
objectives might be useful. 

A key element in the process of analyzing a transaction stream for the 
purpose of assessing Controls is the identification of risks. Brainstorming and 
developing a good list of risks of fraud and error that relate to the trans- 
action stream often lead to the identification of any Controls design gaps in 
transactions cycles. Some auditors and standards setters believe the risks are 
more important in the Controls assessment and documentation process than 
the control objectives, which are more generic in their nature. 

Appendix 4A présents a sélection of generic sample control objectives/ 
attributes. 


Appendix 4A 

Sample Control Objectives for 
Major Cycles 


The 1992 Internai Controls — Integrated Framework document and the 2006 
Internai Controls over Financial Reporting — Guidance for Smaller Public 
Companies document by the Committee of Sponsoring Organizations (COSO) 
présent sample control objectives/attributes for four of the five components — 
control environment, monitoring, information and communication, and risk 
assessment — of the COSO Framework. The documents also illustrate control 
activities objectives/attributes for the cash disbursements function and for the 
revenues function. A section in Chapter 4 of this book is devoted to devel- 
oping control activities objectives for unique cycles. When purchasing the 
2006 COSO guidance, a Word version of the sample tools and the related 
control objectives for the revenue cycle are included. 

The practice aid materials presented here can assist you in developing 
control objectives for your entity. Clearly, generally the materials must be 
customized to spécifie industries and business circumstances. The control 
objectives discussed here are based on data provided courtesy of The Cobre 
Group, developers of ControlsDoc sm software. 1 

Readers are urged to review and consider edits and modifications to any 
illustrative control objectives/attributes before completing any forms or matri- 
ces. Consider the circumstances of your application and processes first to 
ensure proper detail is captured. Consider: 

• Completeness 

• Redundancy 

• Appropriate level/amount of detail 


1. www.Cobre.com. ControlsDoc™ is Controls documentation software for auditors or entities, and 
a license includes a licensed copy of the 2006 COSO guidance. ControlsDoc™ pre-populates the 
separate component modules with these control objectives for use or user customization. 


86 


ENHANCEMENTS TO SAMPLE CONTROL OBJECTIVES 


87 


ENHANCEMENTS TO SAMPLE CONTROL OBJECTIVES 

Readers are encouraged to share their expériences and their customized con- 
trol objectives for private, not-for-profit, and govemment entities for future 
éditions. If your submission is selected for inclusion in a future édition, 
the author will cite your contribution and provide you with a complementary 
copy of the édition in which your submission (with attribution) appears. Send 
submissions to Lynford Graham at: LgrahamCPA@verizon.net 

General Format 

| Area and Category | Attribute/Control Objective | Assertions 


Revenues 


Ségrégation of 
Duties 

Functions with potential conflicts, such as 
customer approval, sales, and cash 
receipts, are segregated. 


Sales 

Prices used in recorded sales are accurate. 

Accuracy 

Sales 

Only valid orders are fulfilled. 

Occurrence 

Sales 

Ail valid orders are processed and 
recorded and filled. 

Completeness 

Sales — 
posting 

Relevant information is captured and 
reported accurately and promptly. 

Occ, Acc 

Sales — 
completed 

A sales invoice is generated for every 
shipment or completed work order. 

Completeness 

Sales — 
period 

Invoices (sales) are recorded in the 
appropriate period. 

Cutoff 

Allowances 

An allowance for doubtful accounts is 
properly estimated. 

Valuation 

Shipments 

Correct goods are shipped and accurately 
recorded. 

Accuracy 

Shipments — 
period 

Deliveries are recorded and recorded in 
the proper period. 

Cutoff 

Ownership 

Recorded inventory is owned by the 
company. 

Rights and 
Obligations 

Cash Receipts 

Cash receipts are accurately recorded. 

Acc, Compl 

Balances 

Recorded cash amounts exist. 

Rights and 
Obligations 

Balances 

The company has ownership rights to 
recorded cash and accounts receivable. 

Rights and 
Obligations 

Crédits Issued 

Crédits issued are authorized and properly 
recorded. 

Occ, Acc 

Crédits Recorded 

Crédits (to accounts receivable) are 
accurately calculated. 

Accuracy 


SAMPLE CONTROL OBJECTIVES FOR MAJOR CYCLES 


Crédits Complété 

Ail crédit notes and proper adjustments to 
accounts receivable are recorded. 

Completeness 

Physical 

Safeguards 

Physical Controls over cash limit the risk of 
misappropriation. 

Occ, Rights and 
Obligations 

Financial 

Reporting 

Postings to the general ledger are timely 
and accurate. Cash, receivables and 
related information are properly 
disclosed in the financial statements. 

Compl, Acc, Cut, 
Discl 

Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, Compl 

Data Files 

Approved changes to data files are 
recorded accurately and timely. 
Standing data are complété and 
accurate. 

Occ, Acc, Compl 


Purchasing and Cash Disbursements 


Ségrégation of 
Duties 

Functions with potential conflicts, such as 
vendor approval, purchasing, and 
payment processing, are segregated. 


Purchasing 

Purchase orders and service requests are 
authorized, complété, timely, and 
accurate. 

Occ, Acc 

Open Purchase 
Orders 

Long-outstanding purchase orders are 
followed up and resolved. 

Occ, Compl 

Receiving 

Ail goods and services received were 
ordered and were processed accurately 
and recorded timely. 

Occ, Acc, Cut 

Returns and 
Allowances 

Ail returns and allowances are authorized 
and were processed accurately and 
recorded timely. 

Occ, Acc, Cut 

Invoice 

Processing 

Ail invoices are promptly and accurately 
processed. Duplicate processing is 
prevented. 

Accuracy 

Cash 

Disbursements 

Payments were authorized, and associated 
goods or services were received and 
recorded in the proper period. Foreign 
currencies are properly recorded. 
Duplicate payments are prevented. 
Long-outstanding payments (e.g., 
uncashed checks ) are investigated. 

Acc, Rights and 
Obligations 

Electronic Funds 
Transfers 

EFT is authorized in advance as to amount 
and payee and is controlled. 

Exist, Occ, 
Compl 


ENHANCEMENTS TO SAMPLE CONTROL OBJECTIVES 


89 


Physical Controls 

Physical contrais over cash limit the risk of 
misappropriation. 

Physical access to unsigned checks and 
check signature stamps or machine is 
contrai led. 

CompI, Acc 

Financial 

Reporting 

Postings to the general ledger are timely 
and accu rate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 
authorized personnel 

Occ, Acc, Compl 

Data Files 

Approved changes to data files are 
recorded accurately and 
timely. 

Occ, Acc, Compl 


Inventory 


Ségrégation of 
Duties 

Purchasing, inventory record keeping, and 
physical inventory counting and 
physical access are segregated. 


Transfers of 
Inventory 

Transfers between locations or between 
accounting categories (raw materials, 
work in process, and finished goods) 
are authorized, accurate, and complété. 

Only authorized shipments of finished 
goods are made. 

Acc, Compl 

Quantity 

Vérification 

Physical counts are taken periodically to 
ensure accuracy and completeness. 

Occ, Compl, 

Inventory Costs 

Complété and accurate records are 
maintained regarding product costs, 
including costs of each element 
(materials, labor, overhead) added at 
each stage (Raw Material, Work In 
Process, Finished Goods) of the 
inventory process. 

Compl, Acc 

Accounting 

Period 

Proper Cutoff is maintained on ail goods 
entering or leaving the inventory System 
around period-end. 

Compl, Acc, 
Rights and 
Obligations, 
Occ 

Accounting 

Methods for assigning/allocating costs and 
inventory methods (Last In First Out, 
First In First Out, Weighted Average 
Method, etc.) are in accordance with 
GAAP and are consistently 
applied. 

Acc 


90 


SAMPLE CONTROL OBJECTIVES FOR MAJOR CYCLES 


Inventory 
Costs — 
Standard 
Costing 

Standard costs products are updated and 
maintained. 

Acc 

Inventory 
Costs — 
Standard 
Costing 

Changes to standard costs are approved 
before implemented. 

Basis for the change to standard cost is 
documented. 

Acc 

Inventory 
Costs — 
Standard 
Costing 

Variances from standard costs and 
overhead charges (as applicable) are 
updated and applied to inventory and 
cost of sales in accordance with GAAP. 

Compl, Acc 

Reserves and 
Lower of Cost 
or Market 

Assessments are made of obsolète 
inventory as per GAAP, and 
write-downs are made on a timely basis. 
Ail adjustments are authorized. 

Valuation, Acc 

Physical Controls 

Inventory is protected from loss due to 
theft, misuse or physical damage. 

Occ, Valuation 

Financial 

Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, Compl 

Data Files 

Approved changes to data files are 
recorded accurately and timely. 

Occ, Acc, Compl 


Payroll and Benefits 


Ségrégation of 
Duties 

Hiring (human resources) and payroll 
functions are segregated. Time report 
approval is segregated from other 
payroll functions. 


Basis for Payroll 
Amounts 

Payroll is authorized only in accordance 
with time records or contractual 
agreements. 

Occ 

Payroll 

Payroll is complété and accurate 
(including to the proper person) and in 
the proper period, including proper 
health and benefits déductions. 

Acc, Compl, Val 

Benefits 

Benefits data and payroll déductions are 
accurately processed from the payroll 
records to the files. Benefits records are 
maintained for each employée in 
accordance with the plans. 

Acc 

Follow-up 

Missing, duplicate, or long-outstanding 
checks are investigated. 

Occ, Compl 


ENHANCEMENTS TO SAMPLE CONTROL OBJECTIVES 


Physical Controls 

Checks, signature stamps, etc are secured 
against unauthorized use. 

Occ 

Financial 

Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 
authorized personnel. Personal data are 
protected from disclosure. 

Occ, Acc, Compl 

Data Files 

Approved changes to data files (including 
withholding tables) are recorded 
accurately and timely. 

Occ, Acc, Compl 


Fixed Assets 


Ségrégation of 
Duties 

Asset record maintenance and physical 
asset disposition or oversight are 
segregated. 


Approved Capital 
Expenditures 

Capital expenditures are approved and 
documented before acquisition. 

Occ 

Ail Fixed Assets 
Recorded 

Ail fixed assets of the entity are recorded. 
New fixed assets are recorded timely 
and accurately. 

Compl 

Expensed of cap 
per policy 

Assets are capitalized (expensed) per 
CAAP and company policy. 

Occ, Acc 

Ownership 

Assets recorded are owned by the entity 
and are not otherwise sold or represent 
rented facilities. 

Occ, Acc, Rights 
and 

Obligations 

Dépréciation 

Methods 

Dépréciation methods for book and tax 
purposes are in accordance with GAAP, 
regulatory, or tax principles, as 
appropriate, and are accurately 
accounted for on a timely basis. 

Acc 

Physical Controls 

Protection of relevant assets from loss due 
to theft, misuse, lack of maintenance, or 
physical damage. 

Occ, Val 

Impairment 

Fixed assets (including idle assets) are 
regularly reviewed for impairment. 

Val 

Self-Constructed 

Assets 

Interest, costs, payroll, and overhead are 
accounted for as per CAAP, and costs 
are accumulated on a timely basis. 

Compl, Acc, 
Occ, Val 

Disposais 

Disposais are preapproved and recorded 
per GAAP on a timely basis. 


Financial 

Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 


92 


SAMPLE CONTROL OBJECTIVES FOR MAJOR CYCLES 


Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files are 
recorded accurately and timely. 

Occ, Acc, 
Compl 


Goodwill and Intangibles 


Ségrégation of 
Duties 

Those responsible for accounting and 
physical Controls over assets or records 
do not hâve duties that are incompatible 
with maintaining effective internai 
control. 


Recorded Values 

Amounts at which goodwill and other 
intangible asset balances are carried 
remain valid. Impairment is considered. 

Occur, Compl, 
Val 

Amortization 

Amortization of intangible assets is 
recorded in the appropriate period. 

Occur, Compl, 
Val 

Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files are 
recorded accurately and timely. 

Occ, Acc, 
Compl 


Tax Accrual and Compliance 


Related Transactions 

Ail related transactions or économie 
events are recorded completely, timely, 
and accurately. 

Tax issues are identified and resolved on a 
timely basis. 

Records support the recorded transactions 
and estimâtes. 

Occ, Compl, 
Acc 

Tax Compliance 

Accurately process, préparé, and file 
required tax documents on a timely 
basis. 

Remit tax payments on a timely basis, 
including any sales taxes collected. 

Compl, Occ, 
Acc, Rights 

Tax Accrual 

Accurately reflect deferred taxes per GAAP 
(SFAS No. 109), including the 
realization of any deferred tax assets. 

Include local, State, and foreign 
commitments. 

Appropriate support and schedules 
underlie the calculations. 

Compl, Acc, 
Val 

Tax Planning 

Recognized tax positions meet GAAP 
criteria for récognition (e.g., SFAS No. 
109 and FIN — Interprétation — 48). 

Acc, Val 


ENHANCEMENTS TO SAMPLE CONTROL OBJECTIVES 


93 


Recognized 
Deferred Tax 
Assets 

Recoverability is reviewed. 
Supporting, corroborating evidence is 
obtained re realization of tax 
benefits. 

Val 

Consistency with 
Entity Goals 

Tax strategies and tax positions are 
consistent with entity goals and 
strategies. 

Val 

Financial Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Disclosure 

Management/those charged with 
governance are aware of significant 
tax-related issues and risks. 

Required disclosure of tax-related issues. 

Présentation 

and 

Disclosure 

Data Files 

Access to data files or worksheets is 
restricted to authorized personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files or 
worksheets are recorded accurately and 
timely. 

Occ, Acc, 
Compl 


Commitments and Contingencies 


Ségrégation of 
Duties 

Those responsible for these functions do 
not hâve duties that are incompatible 
with mai ntaining effective internai 
control. 


Contracts 

Contractual liabilities are authorized, and 
disclosed as required. 

Compl, Acc, 
Dis 

Commitments and 
Contingencies 

Commitments and contingencies are 
estimated and identified in a timely 
manner. 

Compl, Acc, 
Dis 

Litigation 

Pending litigation is identified, estimated, 
and disclosed in a timely manner. 

Compl, Acc, 
Dis 

Régulation 

Regulatory actions or exposures are 
assessed as to potential financial 
accounting conséquences and estimated 
and disclosed as required by GAAP. 

Compl, Acc, 
Dis 

Product Recalls 

Product recalls are properly authorized, 
estimated, communicated, and recorded 
in a timely manner. 

Compl, Acc, 
Dis 

Dérivatives — 
Reporting 

Dérivative financial instruments are 
identified, categorized, and classified. 
They are accurately and timely 
accounted for. When dérivatives are 
common, company policies are in place 
covering authorization and permitted 
practices. 

Occ, Compl, 
Acc, Dis 


94 


SAMPLE CONTROL OBJECTIVES FOR MAJOR CYCLES 


Dérivatives — 
Information 

Company information Systems are 
adéquate to maintain the records 
necessary to account for dérivative 
financial instruments. 

Acc 

Financial Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 

authorized personnel. Personal data are 
protected from disclosure. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files (including 
withholding tables) are recorded 
accurately and timely. 

Occ, Acc, 
Compl 


Equity 


Ségrégation of 
Duties 

Those responsible for these functions do 
not hâve duties that are incompatible 
with maintaining effective internai 
control. 


Equity — 
Authorized 

Only authorized changes in the number of 
outstanding shares or amounts of 
partner equities are recorded. Ail 
transactions are recorded accurately and 
in the proper period. 

Occ, Compl 

Treasury Stock, 
Distributions 

Stock buy-backs or distributions are 
authorized and recorded accurately in 
the proper period. 

Occ, Acc 

Stock Options — 
Granting 

Options are granted in accordance with a 
board-approved option plan. 

Controls prevent backdating or 
springloading. 

Occ, Compl, 
Acc 

Stock Options — 
Accounting 

Valuations of options are made to record 
compensation as appropriate. 
Appropriate disclosure information is 
retained in the information System. 

Authorized valid stock options (issued) are 
recorded completely, accurately, and in 
the proper periods. 

Authorized valid exercises, retirements, 
terminations, and modifications and 
cancellations of stock options are 
recorded completely, accurately, and in 
the proper period. 

Val, Discl, Acc 

Dividends or 
Distributions 

Dividends or distributions are authorized 
and recorded accurately in the proper 
period. 

Occ, Compl, 
Acc 


ENHANCEMENTS TO SAMPLE CONTROL OBJECTIVES 


95 


Financial Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files are 
recorded accurately and timely. 

Occ, Acc, 
Compl 


Investments 


Ségrégation of 
Duties 

Cash management, investments, and debt 
management functions are properly 
segregated. 


Cash Transactions 

The execution of cash related transactions 
is limited to authorized individuals. 

Occ, Rights 

Investments 

Only authorized valid investment 
transactions are recorded and they are 
recorded completely, accurately, and in 
the proper period. Transactions are 
approved at an appropriate management 
level. Transactions are executed only 
with approved counterparties. 

Occ, Compl, 
Acc, Exist 

Investments — 
Information 

Sufficient backup information is available 
to assist in the proper classification of 
securities (held, available for sale, 
trading) for reporting purposes and to 
fair value financial assets and 
investments that are accounted for by 
using fair values. 

Val, Class, 
Discl 

Securities Pricing 

Valuation is timely. The method of 
valuation is per GAAP. 

Related SAS 70 report of service 
organization (if used) is reviewed. 

Acc 

Follow-up 

Long-outstanding or unusual trades in 
terms of amount, parties, nature of the 
investment, and so on are identified and 
reviewed. 

Acc, Compl, 
Occ 

Physical Controls 

Physical Controls over investments are 
maintained to reduce the risk of theft or 
unauthorized use. 

Occ, Exist 

Financial Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files are 
recorded accurately an timely. 

Occ, Acc, 
Compl, 


96 


SAMPLE CONTROL OBJECTIVES FOR MAJOR CYCLES 


Treasury 


Ségrégation of 
Duties 

Cash management, investments, and debt 
management functions are properly 
segregated. 


Bank Accounts 

Accounts are properly authorized to open 
or close. They are periodically and 
timely reconciled. Activity is 
reviewed/monitored for unusual 
patterns. 

Compl, Occ, Acc 

Policies 

Compliance with any loan covenant 
policies re balances is monitored. 

Rights, 
Présentation 
and Disclosure 

Cash Transfers 

Wire transfer transactions are limited to 
authorized individuals and purposes 
and controlled as to amount and timing. 

Occur, Compl, 
Acc 

Cash 

Transactions 

The execution of other cash-related 
transactions is limited to authorized 
individuals. 

Rights 

Dérivatives 

Debt contracts and agreements are 
routinely reviewed to identify possible 
embedded dérivative provisions. 
Dérivatives are accounted for 
appropriately and in accordance with 
U.S. CAAP. 

Compl, Acc 

Borrowings — 
Third Party 

Third-party debt obligations and related 
interest are complété, properly 
authorized, accurate, and recorded in 
the proper period. Appropriate 
disclosures are made. 

Hybrid debt with equity features (and vice 
versa) is accurately classified and 
disclosed in financial statements. 

Class, Acc, Discl, 
Rights 

Borrowings — 
Related Parties 

Intercompany borrowing and related 
interest are complété, properly 
authorized, accurate, and recorded in 
the proper period. Appropriate 
éliminations are scheduled for 
consolidation. 

Class, Acc, Discl 

Fair Value 

Fair value measurements are applied to 
any related debt as required. 

Valuation 

Off-Balance Sheet 

Off-balance sheet arrangements are 
identified and accounted for 
appropriately and in compliance with 
CAAP. 

Occ, Rights and 
Obligations, 
Acc, 

Présentation 
and Disclosure 


ENHANCEMENTS TO SAMPLE CONTROL OBJECTIVES 


97 


Physical Controls 

Physical Controls over cash and negotiable 
instruments are maintained to reduce 
the risk of theftor unauthorized use. 

Occ, Exist 

Financial Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files are 
recorded accurately and timely. 

Occ, Acc, 
Compl 


Additional Attributes Regarding Period-End 
(Quarterly and/or Annual) Process 


Related Party 
Transactions 

Ail such transactions are identified. 
Amounts, entities, and timing are accurate. 
Transactions are examined for required 
disclosure and CAAP treatment. 

Compl, Acc, 
Présentation 
and 

Disclosure 

Fair valuation of 
relevant assets 
and liabilities 

Ail relevant accounts/processes are 
identified. Quality appraisals are 
obtained timely and relevant. Consider: 
financial assets and liabilities, and 
investments. 

Acc, Val 

Data Files 

Access to related data files is restricted to 
authorized personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to related data files are 
recorded accurately and timely. 

Occ, Acc, 
Compl 


Loans-Financial Institutions 


Ségrégation of 
Duties 

Loan setup, processing, collections, and 
accounting for the loans are properly 
segregated. 


Policy 

Ail loans are processed in accordance 
with company policies and applicable 
rules and régulations. 

Acc 

Loan Origination 

Only accurate, complété, and valid loan 
applications are accepted. 

Compl, Occ, 
Acc, Rights 

Loan Origination 

Ail loans are properly authorized, 
processed accurately, and recorded 
timely. 

Occ, Acc 

Loan Payments 

Payments for authorized/approved loans 
are recorded completely, accurately. 
and timely. 

Acc, Cutoff 


SAMPLE CONTROL OBJECTIVES FOR MAJOR CYCLES 


Sale of Loans 

Loan sales are properly authorized. 

Loans held for sale are properly classified. 
Authorized loan sales are recorded 
accurately and timely. 

Occur, Rights 
Class, Discl 
Rights, Acc, 
Cutoff 

Servicing Loans 

Ail cash receipts/payments are deposited 
and recorded completely, accurately, 
and timely. 

Comp, Acc, 
Rights 

Servicing Loans 

Delinquent accounts are monitored and 
allowances established. 

Val 

Loan Repayments 

Loan repayments are accurate and 
properly recorded. 

Acc 

Loan and Related 
Asset 

Valuations 

Allowances for loan loss reserves and 
charge-offs are accurate. 

Val, Cutoff 

Foreclosed Assets 
and Real Estate 
Investments 

Acquisitions and sales of foreclosed assets 
are authorized and properly recorded. 

Occ, Exist, 
Rights, Acc 

Physical 

Safeguards 

Adéquate physical Controls over loan files 
and collateral are maintained. 

Exist, Compl, Val 

Financial 

Reporting 

Postings to the general ledger are timely 
and accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to 
authorized personnel. 

Occ, Acc, Compl 

Data Files 

Approved changes to data files (e.g., loan 
master files and interest calculations) are 
recorded accurately and timely. 

Occ, Acc, Compl 


Generic Cycle 


Ségrégation of 
Duties 

Those responsible for accounting and physical 
Controls over assets or records do not hâve 
duties that are incompatible with 
maintaining effective internai control. 


Process 

Transactions are authorized; are recorded 
completely and accurately; are recorded 
timely. 

Occ, Compl, 
Acc, Cutoff 

Physical Controls 

Protection of relevant assets or information 
from loss due to theft, misuse, or physical 
damage. 

Occ, Val 

Financial 

Reporting 

Postings to the general ledger are timely and 
accurate. 

Compl, Acc, 
Cutoff 

Data Files 

Access to data files is restricted to authorized 
personnel. 

Occ, Acc, 
Compl 

Data Files 

Approved changes to data files are recorded 
accurately and timely. 

Occ, Acc, 
Compl 


5 

Setting The Scope of Your 
Documentation Project: 
Identifying The Core 


START WITH OBJECTIVES 

As with mostly everything we hâve discussed so far, the essential starting 
point for determining the extent of documentation you need to include in 
your project is a clear vision of your objectives. If you are planning to report 
on internai Controls, either now or in the near future, or might be reporting on 
internai Controls due to impending régulation or rumblings from your board 
of directors, you may want to cast a broad net across your entity and exclude 
accounts or transactions streams only as your risk assessment concludes that 
risks are low. 

To meet the minimum documentation standards expected for an auditee, 
you probably can eut out the minor revenue streams and locations that individ- 
ually are immaterial in terms of assets, revenues, and income. However, the 
standards are sufficiently new that consensus on where a bright-line minimum 
might be has not been established. And many auditors who hâve worked with 
large public clients hâve been bludgeoned into including just about every- 
thing with a dollar sign in the reporting on internai Controls project because 
of the early interprétations of the guidance in Public Company Accounting 
Oversight Board (PCAOB) Auditing Standard No. 2. Now that that standard 
is being revised, it is not clear in early 2007 what the new expectations 
will be for companies reporting on internai control, but it is likely that the 
requirements will be less draconian than the initial interprétations of Auditing 
Standard No. 2 were. 


99 


100 SETTING THE SCOPE OF YOUR DOCUMENTATION PROJECT: IDENTIFYING THE CORE 


Revenue 

Source 

Income Tax 

Fees 

Fines 

Usage 

Revenue 

Sharing 

2007 

Percent of Total* 

$5,000,000 

50% 

500,000 

5% 

400,000 

4% 

600,000 

6% 

3,500.000 

35% 


Total = $10,000,000 


Exhibit 5.1 Using Revenue to Set Scope 


You may be able to develop a practical guideline of your core by analyzing 
the financial statements and the segment/division/location contributions to the 
numbers flowing into the financial statements. You should be able to include 
in the scope of your documentation a significant portion of the revenues, 
expenses, account balances, and net income, by selecting a reasonable number 
of accounts and locations and transaction types within the scope of your 
project. For example, suppose your municipal entity had several different 
revenue sources, such as income taxes, fees, fines and judgments, usage 
charges, and revenue sharing. (See Exhibit 5.1.) 

Based just on revenues, you might be able to cover 85% of the revenues 
by evaluating the Controls related to the two main streams of revenue. 

Suppose further that the Controls over the receipt and recording of the 
revenue sharing portion were easy to track because these revenues are allo- 
cated from a larger pool of county revenues and transferred to you in an 
easy-to-audit transaction. However, the process over fees and their collection 
and recording is not as well controlled, and there is significant judgment 
involved in assessing and collecting these fees. 

Because of the dollars involved, you may conclude it is still prudent (and 
not a lot of work) to include the revenue-sharing activity in the scope of your 
procedures. Because of the perceived risks involved, you may conclude you 
should include the fees activity in the main scope of your documentation. 
In some cases the amounts or the risks associated with a component of the 
financial statements will cause you to include those streams within your 
project scope. 

You might take similar measures of other financial statement accounts and, 
in profit-oriented entities, consider the contribution to profit. Thus, you may 
find a profile of revenues, expenses, and locations or segments emerging from 
your analysis that really define the core of your entity. That core can be a 
starting point to détermine what needs to be included in the main part of your 
Controls documentation project. 

You may still need some talking points to address the areas you do not 
identify as your core. One such approach followed by some entities is to make 


START WITH OBJECTIVES 


101 


a list of the main Controls and procedures that are in place regarding those 
amounts excluded from the analysis. For example, some entities consist of 
numerous smaller entities that are part of the Consolidated entity but individ- 
ually and in the aggregate still make up only a small part of the overall entity. 
It may be possible to say that these entities adhéré to a common account- 
ing manual of procedures, use approved software, and perform monthly bank 
réconciliations; that management or internai audit visits such locations period- 
ically; and that monitoring the cash flows and the income from these locations 
is sufficient for management to detect a significant departure from expecta- 
tions. 

If you are planning to report on internai Controls, I suggest you include 
ail the material financial statement accounts and éléments in your initial 
documentation and assessment of Controls, but concentrate testing on those 
éléments and transaction streams most sensitive to misstatement or fraud. 
Your documentation and design assessments can be broader (and should be, 
for your own protection) than your testing plans need to be. In my view, 
too many entities and their auditors are too quick in using risk assessment 
judgments to exclude amounts completely from the scope of the examination. 
There will corne a day of reckoning for those who incorrectly assess risk, 
as there was with those who thought there was little or no risk in auditing 
Enron, WorldCom, and Parmalat. Smaller entities suffer similar fates based 
on bad guesses regarding risk, you just do not hear about them. They just 
become empty storefronts at the local strip mall. 

As you perform this analysis, you may wish to review your conclusions 
with your independent auditor to see if your reasoning is on target with his 
or her expectations. Having to expand a project late in the year can be both 
annoying and expensive. In one case I can recall, a reluctant client with an 
attitude started with a proposed scope of coverage that was far less than any 
reasonable estimate of the required scope under AS No. 2 and kept coming 
back time and time again with proposed incrémental increases, becoming 
angrier and angrier that the scope had to increase, and never understanding 
that the better answer was to start at the other end and exclude trivial aspects 
of the entity. In the end the same resuit was achieved with the side benefit 
of increased blood pressure for ail involved. 

After the Initial Year 

It does not hurt to think longer term. The first year of documentation requires 
a significant commitment of time and effort. You may prioritize the core 
that needs to be included in year one. However, in subséquent years, you 


102 SETTING THE SCOPE OF YOUR DOCUMENTATION PROJECT: IDENTIFYING THE CORE 


should consider whether to expand the documentation process into a few 
other areas. Once you hâve the internai expérience in doing the documentation 
and assessment, you will find these procedures do not take long to perform, 
and you may conclude that unexpected benefits and efficiencies can be gained 
from digging into the business at this level. 


MAPPING THE ENTITY TO THE FINANCIAL STATEMENTS: 
THE INS AND OUTS 

In the last section we illustrated a technique for using revenues to identify 
the core of your entity for documentation and assessment. A further sug- 
gestion would be for the Controls documentation project manager to make 
a template of accounts and balances based on the last set of financial state- 
ments. Both the balance sheet and the income statement are relevant, so 
include them along the left column of a multicolumn spreadsheet. In most 
financial reports, the detailed accounts listed in the Consolidated auditor’s 
report are material in amount, or else they would hâve been summarized 
in some way. Enumerate them in the spreadsheet. Décidé on some mean- 
ingful way of expressing the different parts of the business across the top 
rows: say, by segments/divisions/locations/types of revenues, and so on, that 
describe your entity. (I will call these “segments” for discussion purposes.) 
Leave a column between each segment. Now, using data relating to each of 
the identified segments, break out the aggregate Consolidated numbers into 
the individual segments. In some commercial companies, there exist sales 
subsidiaries for which a sales activity is the only activity associated with the 
location; order fulfillment and other activities are accounted for elsewhere. 
In such entities, do not be surprised if some such segments only hâve one 
relevant or significant process (sales to cash). 

Hâve the spreadsheet compute for you the percent of the Consolidated 
total of each segment. What you should see emerging from this analysis 
is the ability for you to identify the core of your entity. You may wish 
to give spécial considération to the implications of transactions (or trans- 
fers of costs and revenues) between segments (if there are any) when they 
are présent, even though they may be eliminated during the consolidation 
process. 

In the following exhibit (Exhibit 5.2), the financial statement data is used 
to identify those accounts and cycles that are to be included in the scope of 
the documentation and assessment project. 


MAPPING THE ENTITY TO THE FINANCIAL STATEMENTS: THE INS AND OUTS 


103 


Accounts 

Consolidated 

Connecticut 

Percentage 

New York 

Percentage 

Revenues 

1,000,000 

800,000 

80 

200,000 

20 

Expenses 

950,000 

250,000 

26 

700,000 

74 

Income 

50,000 

300,000 

150 

(250,000) 

— 

Assets 

4,000,000 

1 ,000,000 

25 

3,000,000 

75 

Liabilities 

3,500,000 

0 

0 

3,500,000 

100 

Owners Capital 

500,000 

1,000,000 

200 

(500,000) 

- 


Exhibit 5.2 Using The Financial Statements to Set The Scope — Summary Categories 


Exhibit 5.2 Analysis 

This example shows summary financial data only as an illustration. The New 
York location is a headquarters and a first-stage manufacturing center; sales 
transactions are conducted out of the Connecticut facility, which finalizes the 
product to spécifications for shipment. By including the assets and liabilities 
and expenses at corporate and the revenues at the primary sales location, 
most of the core business can be covered. The income row is not a very 
meaningful one from which to make inclusion decisions in this example. 
Even in the areas that are not identified as the core, a risk assessment and 
some talking points regarding Controls may need to be developed, since the 
amounts in the noncore areas are not immaterial or trivial. 

Do not be surprised if the largest revenue and the largest cost contributors 
are not in the same segment or location. The key is to look at the entity 
as a whole and identify where the revenues and costs are accumulating. In 
some universities, revenues (e.g., day tuition, graduate tuition, night school 
tuition, fees, etc) are meticulously segregated, but the costs of undergraduate, 
graduate, and distance leaming faculty may be ail accounted for the same 
way and not segregated. 

You may hâve to slice and dice your entity several different ways (e.g., 
product line, location, revenue type such as cash sales and Internet sales) 
in order to find a logical entity profile. However, this actually results in an 
excellent documentation of your thought process as to what portion of your 
entity is considered your core and why it is or is not included in the scope 
of your documentation project. 

You may need to update this analysis going forward to hâve it respond to 
changes in your business. Along the way you may even need to reconsider the 
base used in segmenting the entity. If location was a logical base to use for 
the assessment initially, product line may be a more logical and cost-effective 
base to use in future years. Don’t get stuck in a rut. 


104 SETTING THE SCOPE OF YOUR DOCUMENTATION PROJECT: IDENTIFYING THE CORE 


CONSIDER RISKS, NOT JUST QUANTITATIVE MEASURES 

I mentioned risk several times in conjunction with what to include in and what 
to exclude from your documentation project. As you can see by now, I am 
skittish about excluding accounts and processes because they are judged to be 
“low risk,” since if you exclude an item from the scope of your procedures, 
you may not identify until it is way too late that the item, account, or process 
is in fact not low risk. 

No business person or auditor in their right mind starts out deliberately tak- 
ing chances that a risky area will allow a material misstatement to occur that 
will cause the financial statements to be misstated. As skilled and as experi- 
enced as many managers and auditors are, the auditors of public entities, and 
the businesses they audit hâve many painful reminders of the conséquences of 
making bad judgments regarding risks. The reminders are in terms of income 
loss and réputation effects, and they stretch back over décades. 

Nevertheless, risk judgments are made, and in order for audits to be eco- 
nomical, they will continue to be. But very few financial statement éléments 
are inherently and by their nature al way s low risk in ail circumstances. 
Generalizing from expériences with other businesses or from other audit 
engagements gives a distorted view of risk, because the only risk that counts 
is the one spécifie to the entity and engagement right here and now. The low 
probability of risk in the cash account did nothing to protect the sharehold- 
ers and auditors of Parmalat, an Italian dairy company, from financial ruin 
when it was discovered that the auditors were served a bogus confirmation of 
a Bank of America account of over $3 billion. This led to the discovery that 
a whole portion of the reported entity was bogus, and had been for years. 

Go ahead, name some low-risk areas. Auditors generally pick fixed assets 
as a low inhérent risk area for many businesses. Well, that was not the way 
it worked out at WorldCom, where major reclassifications of expenses were 
charged to fixed assets and doing so inflated reported income. The poster 
child for audit skepticism and fixed assets risk was ZZZBest, a Wall Street 
darling start-up with interests in building restoration projects and ail kinds 
of growth potential. In reality, the company was building files of fraudulent 
documents and misleading its auditors into thinking that it had interests in 
various buildings and fixed assets when it did not. 

Barings Bank and Orange County, California, were stung a few years ago 
when financial instruments trading that in the past had been profitable went 
sour and what had been a profitable venture for the entities wound up creating 
huge losses and exposures that generated financial disaster, well beyond just 


OVERSTATEMENT AND UNDERSTATEMENT 


105 


the loss of income from these operations. Care needs to be taken to understand 
what risks various types of transactions and activities can expose the entity 
to; do not just look at the measure of revenue, asset, or income measurement 
in a normal year. 

It is hard to think of a safe area in the financial statements and processes 
that does not deserve some level of considération or scrutiny every once in 
a while. Consequently, it is helpful to rotate the emphasis and the areas 
in which management monitors and auditors audit. The nature, timing, and 
extent of monitoring and testing procedures should be varied such that the 
unpredictability of the oversight and the audit process helps ensure that those 
tempted to take risks and misstate or misappropriate realize that they are really 
taking a risk. Ail too often, management oversight and monitoring and the 
audit procedures applied become predictable and thus game for the fraudster. 


OVERSTATEMENT AND UNDERSTATEMENT 

The risks of overstatement and understatement regarding internai Controls 
over financial reporting are commonly misunderstood. Many auditors working 
in public company environments easily recognize the risk of an overstate- 
ment of income. However, in a private entity, minimization of taxes might 
motivate owners to want to understate accounting income to the extent it 
impacts tax liabilities. The assertion of occurrence often associated with 
income overstatement sometimes needs to take a backseat to the assertion of 
completeness . 

Let’s say you base your scoping of procedures on the recorded amounts of 
sales at various locations. If the sales at the Binghamton, New York, location 
are being systematically skimmed, then that location will seem to be less 
important for both Controls assessment and monitoring — just the opposite of 
what should happen at that location. This sort of internai theft can be difficult 
to detect, which points out a common limitation of monitoring (or auditing) 
based on reported numbers that might not be accurate: It is harder to detect 
error in amounts that never enter the joumals and accounts than it is to detect 
errors in amounts that are actually recorded. Suppose your entity is a church; 
do you hâve a track record of how much loose cash is generally collected at 
a service? Do you hâve statistics that relate the loose plate collections to the 
attendance? Is the amount recorded in the books what was put in the plate, or 
just the amount that was deposited in the bank account? How do you know? 
Can there be a disconnect here? 


106 SETTING THE SCOPE OF YOUR DOCUMENTATION PROJECT: IDENTIFYING THE CORE 


INCLUDE THE CLOSE PROCESS AND PREPARATION 
OF THE FINANCIAL STATEMENTS 

In ail but the smallest of operations, procedures and Controls should be put 
in place to ensure the books are closed properly and financial statements are 
drafted. In large entities, this can be a rather formai process with multiple 
levels of review and approvals, but most entities could benefit from at least 
a procedures description of what adjustments need to be made (e.g., dépré- 
ciation, allowances for product retums, etc.) if only to provide institutional 
knowledge to the next bookkeeper. 

Some attention to this point may lead to entities taking on more respon- 
sibility for the closing and statement préparation process. It is not that the 
process is hard or complicated in many cases; it is just unfamiliar to those 
who face it only once a year. 

Recall that an entity that is unable to close its books and draft the financial 
statements and does not hire resources (other than the independent auditor) 
to do so may receive a required communication (under SAS No. 112, Com- 
municating Internai Control Related Matters Identified in an Audit ) from its 
auditor noting that there exists a significant deficiency or a material weak- 
ness in internai Controls over financial reporting. Independent auditors cannot 
be part of an entity’ s internai Controls under the principles of the COSO 
Framework. 

Performing many of the steps associated with the close and reporting 
process will likely lessen any level of deficiency that might otherwise be 
assessed. 


BE CAREFULOUT THERE! 

OK, you hâve gone through this analysis and assessment process and you 
hâve identified your core for documentation and assessment. That is not the 
end of it. Fires rarely occur next door to firehouses. You hâve put Controls 
and monitoring in place, but stuff happens. You will need to pay attention 
to ail kinds of possible signais and unexpected test results. If complaints 
and calls indicate that shipments are not being fulfilled or billed accurately, 
then those Controls over that process need to be examined more closely. 
Identified substantive misstatements in financial statement amounts generally 
imply some sort of control failures. You may need, based on an alarm signal, 
to assess the risk of misstatement as higher in an area that did not initially 
attract a lot of attention because it was not that significant. If the area is 


BECAREFULOUT THERE! 


107 


teeming with risk, the dollar exposure might be proportionally greater than 
the size of the process or account might indicate. Leverage off your past 
expérience, both good and bad. And don’t forget to periodically revisit even 
the low-risk areas and look at them with fresh eyes. 



6 

Estabushing a Basis for Controls 
Effectiveness: Testing Controls 


"AUDITORS SHOULD DEVELOP AN UNDERSTANDING OF 
INTERNAL CONTROLS . . 

Under the new auditing standards effective for company fiscal years beginning 
after December 15, 2006, auditors of private, not-for-profit and govemment 
entities are charged with obtaining an understanding of an entity’s internai 
Controls as part of their risk assessment procedures. Auditors, in addition to 
being instructed to follow guidance such as the COSO Framework guid- 
ance we hâve been discussing, specifically need to assess the design of 
audited entity Controls (i.e., they need to détermine whether the Controls 
appear to meet the control objectives or attributes outlined in the COSO 
guidance). When Controls are unable to meet the control objectives, and gaps 
are identified in Controls design, auditors will need to communicate signifi- 
cant deficiencies and material weaknesses to management and those charged 
with govemance on a timely basis and in writing. 

There is good reason for this requirement. Actually, this requirement is not 
intended to be a new responsibility; previous literature as far back a couple 
of décades intended that the auditor obtain this understanding and make an 
assessment of Controls design. However, in practice, some auditors chose to 
perform a substantive audit of balances and accounts, and that lessened the 
attention that was given to internai Controls. 

What we hâve learned from the latest round of frauds, scandais, and busi- 
ness and audit failures is that Controls cannot be ignored or minimized. Sub- 
stantive tests of balances and accounts alone are often not powerful enough 
to detect clever frauds or the subtle or small (but cumulatively material) 


109 


110 ESTABLISHING A BASIS FOR CONTROLS EFFECTIVENESS: TESTING CONTROLS 

misstatements that can occur. In the absence of Controls, the door is wide 
open for error or fraud. As trusting as we might be of the quality of the 
accounting and integrity of people, there are constant reminders in the media 
that we should “Trust, but verify.” We hâve also seen how after-the-fact 
misunderstandings over who said what to whom and when often arise when 
frauds and misstatements are discovered. What auditors seem to think is 
obvious often results in a concem over “why did you not tell me?” Who 
is at fault when the trusty bookkeeper absconds with the funds? Those 
charged with govemance are often heard to say “That’ s what we hire you 
for.” Well, it is now reemphasized in the literature that control gaps need 
to be explicitly communicated by the auditor. And since more attention will 
be given to the design of the Controls, you can expect that more issues will be 
identified. 


Controls Design 

The ability of the Controls design to meet the control objectives is predicated 
on the ability of entities to describe the processes, procedures, and Controls 
in place so they can be compared to the benchmark control objectives (or 
attributes). That means the Controls — not just the processes — need to be 
documented. 

It is far better that companies themselves document their Controls to the 
extent possible rather than hâve a third party do so. There are significant 
benefits to documenting and maintaining documentation of internai Controls 
in house. 

• It is cheaper. Consultants can be expensive, particularly if they become 
a permanent fixture after the initial assignment is complété. You will 
need to wean yourself away from relying on them at some point any- 
way. 

• You will spend considérable time anyway. While some consultants may 
be expert in documenting processes and Controls, they do not know 
your organization, and you will spend significant time explaining to 
them what you know so they can re-package that information to corne 
back to you in another form. Maintaining documentation from year to 
year is generally less time-intensive than initially creating it, and many 
entities hâve sufficient resources to update the information annually, 
even if they did not hâve the time or skills to create the first version. 

• Controls consciousness will be increased. This is a wonderful oppor- 
tunity for financial management to become aware of Controls and any 
gaps that might exist, so that effective monitoring can take place 


"AUDITORS SHOULD DEVELOP AN UNDERSTANDING OF INTERNAL CONTROLS. . 111 

to lessen the risks from the existing gaps. Don’t miss out on this 
opportunity to get doser to your business. After reporting on internai 
Controls for their public clients, many auditors stated that they had a 
much better understanding of their clients and their operations after 
having gone through the risk assessment and Controls documentation 
of the first year of Sarbanes-Oxley compliance. Many managements 
had the same reaction. 

Auditors of nonpublic companies can help their clients document their 
Controls, whereas auditors of public companies are severely restricted in their 
ability to do so due to independence concerns. (It is not practical to be inde- 
pendent in auditing work that you created.) Even so, auditors of nonpublic 
entities still need to be careful not to be so involved in this process that 
their independence standards are challenged. In general, it is best if manage- 
ment takes control of the project and the auditor only serves in an advisory 
capacity. 

Nevertheless, your independent auditors may not even hâve the capacity 
to assist you in this task, as, starting in 2007, many public and nonpublic 
entities are documenting their Controls more rigorously than before. Extemal 
resources, such as this text, and tools such as the COSO guidance (1992 and 
2006 reports, available at the American Institute of Certified Public Accoun- 
tants Web site, www.cpa2biz.org) in conjunction with Controls documentation 
software or documentation templates may be of significant assistance to you 
in structuring your tasks. 

While some auditors are pleased to assist in this task during the traditional 
slow season, such a period rarely exists anymore for many firms, as auditors 
are in shorter supply these days due to increased professional demands. In any 
case, if auditors détermine that the reason they are documenting the Controls 
is that your organization lacks the skill and knowledge to do so, under the 
new professional standards, besides their invoice, they must send a deficiency 
letter (per SAS No 1 12) addressed to your management and your govemance 
group saying that you lack this element of internai control. A little insult to 
go along with your injury. 

Confirm the Controls Hâve Been Implemented 

Auditors of nonpublic entities are advised that they should also perform 
procedures to confirm that the documented internai Controls are indeed in 
place and being performed. This step can be accomplished in a number of 
ways. Inquiry alone is not sufficient to ensure that the described Controls 
hâve been placed in operation. Observation, examination of evidence that the 


112 ESTABLISHING A BASIS FOR CONTROLS EFFECTIVENESS: TESTING CONTROLS 

control is being performed, and perhaps a walk-through of a transaction from 
inception through its accumulation within the financial statement amounts 
may be needed to ensure the process and Controls that should be there, are 
indeed there. 

The walk-through has been a common auditor tool for many years to con- 
firm how things work. There are different ways to perform a walk-through. 
In some cases, auditors might also start with the general ledger and trace a 
transaction or a summarization back to the origin of the transaction, mak- 
ing sure it was processed and controlled as it should hâve been. Still others 
perform walk-throughs by looking at each control point in the process and 
examining some evidence, such as a stamped invoice or an initialed docu- 
ment, or making observations to confirm that, at least at that time and place, 
the control was in operation. 

Why should entities care about this process? It is because eventually the 
auditor will need to hâve the process confirmed; by using a dry run to identify 
glitches in the documentation, you can avoid a lot of discussion, wasted time, 
and remediation later on. Often additional issues and risks are identified 
during this process that were not évident when thinking through what to 
document and how the Controls meet the control objectives. Ideally, someone 
who did not create the draft documentation is in the best position to judge 
the accuracy of the documentation in comparison to the Controls in place 
in real life, but the passage of time can help the person who drafted the 
documentation to be more objective. Clear and accurate documentation also 
provides a better foundation for the internai monitoring function to take place, 
since the process being monitored is correctly described. Consequently, many 
entities perform this procedure to confirm the control is in place, particularly 
in the first year of documentation. 

Meeting the Minimum Documentation Requirements 

When documenting Controls to meet the minimum standard for entities not 
reporting on internai Controls, ail the auditor needs to do is perform a gap 
assessment of the design of the Controls and gather some evidence that the 
control has been implemented. In addition, these procedures need to be car- 
ried out only for the main processes and accounts in the financial statements 
(e.g., revenues, main expenses, payroll, etc.), not necessarily for ail the pro- 
cesses, as would be required if companies intended to publicly report on the 
effectiveness of their Controls. Many entities may hâve finished meeting their 
minimum requirements after they hâve documented their internai Controls for 
their major cycles. 


MONITORING 


113 


If auditors want to rely significantly on the effective operation of entity 
Controls when setting the nature, extent, and timing of other audit procedures, 
then the must test Controls from throughout the period of intended reliance 
or rely on testing performed by an objective and competent resource, such as 
a qualified internai auditor or a third-party consultant. Employée self-testing 
of Controls 1 often does not count for much, but some testing is expected to 
be performed by management as part of its monitoring function. Auditors 
may take advantage of effective Controls in reducing the number of accounts 
receivable confirmations sent to customers, in performing those procedures 
prior to year-end, and in rolling the conclusions forward to year-end based 
on Controls reliance and analytical procedures. Other examples of savings 
that can be supported by effective Controls include reduced and/or earlier 
inventory testing and less direct testing of the cost accumulations process in 
costing Systems. 


MONITORING 

One of the COSO five components is monitoring. A well-controlled entity 
should monitor its financial data processing to ensure the data are being 
entered accurately and in accordance with company policies. This monitoring 
should be an ongoing activity of management throughout the year, not a 
periodic examination like the independent audit. 

In smaller organizations, monitoring is often far less formai than in larger 
and more complex entities. One way some managers oversee things is 
MBWA: Management By Walking Around. They inquire of what their 
employées are doing and take an interest in understanding the project or 
procedure employées are performing. Indeed, a lot can be leamed by doing 
just that. 

Still other business owners are content to stay in their closed-door offices 
and perform research for new ventures, talk to customers, or in other ways 
create distance between themselves and their business operations. Scientist 
entrepreneurs and bureaucrats can easily fall into these patterns of isolation; 
often the details of their business operations do not interest them greatly 
and leave it to others to handle “those things.” In the absence of a manager 


1. In some cases employées may be assigned to test Controls in departments other than the one in 
which they work or to test Controls that do not relate to their areas of responsibility. Sometimes 
such testing may count toward objective testing, but much dépends on the facts and circumstances. 
You may wish to get the views of your independent auditor before assuming that a particular plan 
of internai testing will count for audit purposes. 


114 ESTABLISHING A BASIS FOR CONTROLS EFFECTIVENESS: TESTING CONTROLS 

who cares enough to oversee and monitor the business, they are often setting 
themselves up for a rude awakening. Imagine the signal some of these own- 
ers are sending to their financial staffs: Their work is not important, and the 
boss does not care about the things they devote their days and often evenings 
and weekends to. More than one employée has cited management indifférence 
and inattention as providing the opportunity, and sometimes the rationaliza- 
tion, for mischief. 

Benefiting from the disastrous events of financial statement fraud and 
accounting abuses of the late 1990s and early 2000 periods, recent audit- 
ing literature identified a triangle that establishes the environment for fraud 
to occur: 2 

• Motivation. While we can ail understand financial gain as a motive 
for some forms of mischief, many times resentment and other feelings 
that hâve been inadvertently generated provide a strong motivation for 
employée actions. Getting even may be a more powerful motivation for 
asset misappropriation and ineffective performance than is generally 
realized. When management takes an honest and active interest in ail 
aspects of entity operations, some sources of such resentments can be 
prevented. If financial reporting is an important activity, let someone 
know it. 

• Opportunity. Leaving the door open is just inviting trouble. When 
employées think you do not care or pay attention to financial matters, 
it leaves the door open for mischief to occur. While management may 
think that employées are like family and that Controls and oversight are 
inherently insulting to them, there is no reason that effective Controls 
need to be designed or presented in such a manner. In fact, many 
employées would prefer not to hâve to face the daily challenge of an 
open cash drawer. The fewer opportunities that exist, the fewer losses 
will occur. Recall the 2006 Association of Certified Fraud Examiners 
survey statistic that the médian size reported fraud in entities of fewer 
than 100 employées is $190,000. Smaller entities hâve to be fairly 
inattentive not to miss that amount of money. 

• Rationalization. The third element is that mischief makers generally 
find a rationalization for their actions. It might be because of low pay 
(“I am entitled to better compensation”), perceived unfair treatment 
(“Jane got my GS-8 promotion”), a need for money to meet a truly 


2. SAS No. 99, Considération of Fraud in a Financial Statement Audit (AICPA, New York, NY, 
2002). 


MONITORING 


115 


serious illness or family crisis (“I intend to repay this very soon — it’s 
just a loan”), or a serious deprivation (“I lack a BMW”). Again, 
resentment and perceived injustice can be a strong motivator for some 
individuals. 

I was fascinated by the 2006 news story of a medical office secretary who 
over the course of several years had diverted $2.3 million in funds to her 
Personal use, the money going to buy lottery tickets and gambling opportu- 
nities for even larger winnings. 3 Her husband claimed he was unaware of the 
activity and that she was a “great mother and a great wife. . . She was your 
everyday house mom.” Maybe so, but how does a business not miss $2.3 mil- 
lion? Frauds often generally start the same way. They involve trivial amounts 
initially, and just grow and grow since nobody seems to be paying attention. 

A New Jersey newspaper reported on September 7, 2006: 

The theft of a small fortune by the gray-haired bookkeeper and mother was 

brazenly committed right under the boss’s nose as she sat at her desk [She] 

used her office computer to gamble away $1.5 million belonging to the firm and 
the firm’ s clients between 2002 and 2005. 4 

Never steal anything small! 

Monitoring means more than just walking around. It means looking care- 
fully at the bank réconciliations and looking at canceled checks (or copies 
provided by the bank) to make sure the names agréé with the checkbook 
or ledger names. It means testing that customers were on the approved cus- 
tomer list before the order was shipped. In short, it means that management 
is testing that the Controls that should be in place are in place. The owner 
should keep a record of what monitoring specifically was done — whether it 
is examining an invoice in significant detail before payment or periodically 
checking summary financial data. An initial on a schedule or a document can 
go a long way toward giving the auditor comfort as to what was done and 
when, and it also documents performance of the monitoring fonction. 

Be alert for additional guidance from the COSO in 2007 or 2008 regarding 
the monitoring fonction in smaller entities — what it should be and how to 
reflect best practices. The rôle of the monitoring fonction has been the sub- 
ject of debate and controversy as to whether it can be much of a substitute 
for effective Controls at the control activity level. More and more smaller 
entities are citing monitoring as a mitigating factor in the assessment of the 


3. Reported at www.nysscpa.org, “LJ. Bookkeeper Admits Stealing $2.3 M to Play Lottery.” Posted 
8/24/06. 

4. “Maplewood Mom Admits $1.5 M Theft from Employer,” Star-Ledger, September 7, 2006. 


116 ESTABLISHING A BASIS FOR CONTROLS EFFECTIVENESS: TESTING CONTROLS 

potential severity of identified control design and operating deficiencies. Often 
it is not clear how effective various monitoring activities, such as reviewing 
summary financial reports and walking around, can be in limiting potential 
misstatements to less than a material amount. It is also less clear how either 
management or the auditor can be comfortable in taking crédit for procedures 
where there is a lack of documentary evidence that they were performed. 


SAMPLING AND TESTING CONTROLS 

When management wishes to report formally on Controls, there needs to be a 
basis for its assertion about the effectiveness of Controls. This basis is usually 
established by testing the Controls. Management may need to adopt a number 
of different testing approaches and strategies in order to gain evidence that 
ail five components of the framework are operating effectively. 

Sampling is most often associated with manual Controls, such as approvals 
of invoices for payments, clearing exceptions on exception reports, and proce- 
dures to ensure the completeness and accuracy of intracompany transactions 
that need to be eliminated in consolidation. 

Sampling Principles 

In a sample, a few représentative items are examined for the purpose of 
concluding something about the population of items. Results of a sample 
are said to be extrapolated to the population. For example, if 25 instances 
of a control are selected for examination and 1 exception is found, the best 
estimate of the population déviation rate is 1/25, or 4%. Now, we intuitively 
know that the true déviation rate may be higher or lower than 4%, but that 
is what the sample told us. While a 4% déviation rate may not be alarming 
(e.g., 96% of the time the control opérâtes effectively), the fact is that the 
true déviation rate could be higher. 

If the sample had been selected randomly, the principles of statistical sam- 
pling could be used to evaluate the sample and détermine, with a known 
confidence level, the statistical upper limit on the déviation rate. In our 
example of 1 déviation from 25 items, the tester could be 90% assured that 
the true rate of déviation in the population is less than 14.69%. To hâve a 
high assurance, the upper limit is generally a more appropriate measure of 
the potential error than the extrapolated 4%. 

In samples that were not randomly selected, if sélection bias was avoided 
and représentative items were intended to be selected, these statistical mea- 
sures may still hâve some reference validity. 


SAMPLING AND TESTING CONTROLS 


117 


Sample sizes and the results of samples can be evaluated by computer 
programs and tables or by formulas. I used the program IDE A to compute this 
resuit, but similar results could hâve been obtained by using other software or 
the table that is provided in Appendix 6A. 5 The exactitude of the procedure is 
not that critical to judging whether the control is operating effectively. In my 
view, a control that could fail over 10% of the time is not very impressive. If 
material dollars run through this control point, material misstatement certainly 
seems possible. 


Do You Need High Assurance? 

If the purpose of the testing is to support an assertion that the Controls are 
operating effectively, then yes, you do need high assurance. The million-dollar 
question is what is “high assurance”? For statistical sampling concepts, high 
assurance is generally considered be around a 90% or more (e.g., 95%) con- 
fidence level for the sample. The confidence level is only one of the variables 
needed to détermine a sample size. The second parameter is the upper thresh- 
old on a déviation rate you could tolerate before concluding the control was 
not reliable. This is called the tolerable déviation rate. Many auditors, when 
assessing Controls effectiveness, set this parameter at 10% or less, reasoning 
that an important control that could fail more than 10% of the time is not 
very effective. 

Using tables or computer programs and the parameter of 90% confidence 
and 10% tolerable déviation rate (even ignoring a factor for expected dévi- 
ations that would increase the required sample size) would yield a statistical 
sample of 22 items in a large population (e.g., over 500 instances of the 
control could be considered a large population). For manual Controls, use- 
ful sample size range minimums in public company audit practices today 
are 22 to 45. Some firms and entities believe that a 10% tolerable dévia- 
tion rate is pretty intolérable to hâve effective Controls (and I agréé); thus, 
when the tolerable déviation rate is set at 5%, the sample size is in the 
range of 45 items. Still other firms recognize that for critical Controls in, 
say, revenue récognition, these sample sizes may still be too low. Sample 
sizes of 100 items are not unheard of for a complicated and high-risk test of 
a control. 

You will need to consider the level of assurance and threshold of effective- 
ness you are comfortable with when testing your own Controls. The guidance 


5. IDEA Data Analysis Software V7.0, 2007. CaseWare IDEA Inc., Toronto, Canada 
(www.caseware-idea.com/fsh.asp). 


118 ESTABLISHING A BASIS FOR CONTROLS EFFECTIVENESS: TESTING CONTROLS 

just discussed is just for your référencé. You might get some pushback from 
your auditor if you use samples to support your assertions of Controls that 
are significantly smaller than the minimum sizes just discussed, and need to 
make an assertion on the effectiveness of your entity Controls. You might 
also encounter some nasty surprises if you undertest your Controls and later 
your auditor finds lots of déviations in a more appropriately sized sample. 
There is no free lunch here. A defective process will generally be detected: 
by your tests or your auditor’ s, or through errors that eventually work their 
way into the financial statements and later need correction. Frankly, I think 
it is a benefit for the entity to find these defective Controls first and correct 
them. I guarantee it will be more economical than when you are paying pro- 
fessional fees for the work and ail the paperwork that goes with an audit 
finding. 


Setting Sample Sizes 

In most cases, testers do not think they will observe déviations in the sample, 
and many will design samples with the expectation that no exceptions will be 
found. Others will choose to design enough items in the sample so that if one 
déviation is found, it will not cause the test to fail. However, inevitably, you 
will find exceptions in your testing, so a zéro expected déviation assumption 
is not always wise unless the process is clearly very strong. 

There are different ways to deal with the risk that some déviation might 
be found. One is to add in an expected error déviation rate when designing 
the sample and use the tables or a program to compute an appropriate sample 
size that will still keep the upper limit under the threshold rate if a déviation 
or two is encountered. This will raise the sample size. The doser the expected 
déviation rate is to the tolerable rate, the more dramatic the rise in the sample 
size. When the expected rate starts to approach the tolerable rate, it is probably 
time to fix the control to be more effective even before testing it. 

For example, using a 90% table from Appendix 6A and for a 5% tolerable 
rate, the table shows a minimum sample size of 45 items. If allowance is 
made for an expected 1% rate, then the one-stage sample size increases to 
80 items. 

Another approach is to design a two-stage sampling plan such that the 
sample can be stopped (the sample resuit “passes”) if after the first stage 
no déviations are found, or the test continues to an additional sampling 
stage if one déviation is encountered. When two déviations are found, the 
plan “fails,” and it is recommended that the underlying process be fixed 
before further sampling. A two-stage sequential sampling plan is described in 


INFREQUENTLY OPERATING CONTROLS 


119 


Tolerable Rate 

Initial 

Sample Size 

Second-Stage 
Sample Size 

10 

23 

29 

9 

26 

30 

8 

30 

30 

7 

35 

32 

6 

41 

38 

5 

51 

39 

4 

64 

49 

3 

89 

56 

2 

133 

87 


Exhibit 6.1 A Two-Stage Sequential Sampling 
Plan — 90% Confidence 


Montgomery’ s Auditing for a 90% confidence level. 6 Other tables at differ- 
ent confidence levels are also shown there. Exhibit 6.1 présents a two-stage 
sequential sampling plan. 

An inexact but very simple approach sometimes followed in audit practice 
(on a nonstatistical basis) is, when planning for zéro errors and one appears in 
the sample, to increase the initial sample size by 100% to form a second-stage 
sample. The practice of adding 5 or 10 additional items to the first sample 
is generally useless and ineffective from the standpoint of the value of the 
additional evidence obtained. 

Even when a déviation is planned for, care needs to be taken when accept- 
ing a control déviation that it does not represent qualitative characteristics 
that indicate a serious issue, such as a fraud or a systematic error that is likely 
to be repeated throughout the population of Controls under certain conditions. 

The old audit practice concept of excusing an isolated exception found in 
a sample resuit has pretty much disappeared from acceptable audit practice, 
as, more often than not, the sélection of a représentative sample of items did 
indeed select a “représentative” exception. The isolated exception concept may 
be an interesting theory but a dangerous practice. Don’t fool yourself here. 

INFREQUENTLY OPERATING CONTROLS 

Some Controls only operate annually, quarterly, or weekly. Thus the popula- 
tion of Controls is quite small, and the previous guidelines are not helpful. 


6. V. O’Reilly, P. McDonnell, B. Winograd, J. Gerson, and H. Jaenicke, Montgomery’ s Auditing: 
Twelfth Edition (New York: John Wiley & Sons, 1998), Chapter 16, p. 47. 


120 


ESTABLISHING A BASIS FOR CONTROLS EFFECTIVENESS: TESTING CONTROLS 


Control Frequency or 
Population Size 

Suggested Sample Size 

Quarterly 

2 

Monthly 

2-4 

Weekly 

5-9 


Exhibit 6.2 Testing Infrequently Operating 
Controls 


Again, auditing practice has developed some practical testing ranges in this 
area. These are presented in Exhibit 6.2 for your convenience. Since infre- 
quently operating Controls often involve large amounts or summaries of 
transactions, the concept of an expected déviation is rarely used; finding 
a déviation in such Controls would often hâve serious conséquences. 


SURVEYS AND INTERVIEWS 

In gathering evidence about the control environment, often some attributes 
can be tested by a sampling procedure. In other cases, a complété census 
of the control operation can be observed. For example, when employées are 
required to attend a company meeting or sign a statement that they hâve read 
under stand or organization’s code of conduct, the population of evidence 
that the action was performed can sometimes be verified in total, or a sample 
selected to test compliance. 

It is far more difficult to obtain evidence regarding the tone at the top 
and how employées view the organization and their work environment. In 
obtaining such input and gathering evidence regarding these softer issues, 
interviews or surveys are often administered to employées. Sometime focus 
groups of employées are led by experienced facilitators and personnel, and 
management policies are explored in a group setting. When surveys or focus 
groups are administered by a third party, the evidence is generally considered 
more reliable than when management conducts the survey directly. Further- 
more, if employées can maintain anonymity in responding, the responses are 
often more candid. Some Consulting firms and marketing research firms offer 
services that can assist companies in assessing their control environments 
in an objective and professional manner. They can also help companies in 
designing questionnaires to meet various needs and in developing a logical 
sequence of interview questions. Independent auditors may hâve had some 
training in interview and questionnaire techniques, but it is generally lim- 
ited. Forensic auditors, such as certified fraud examiners (CFEs) are more 


TESTING AUTOMATED (COMPUTERIZED) CONTROLS 


121 


likely to hâve had expérience in questioning and interview techniques, but 
the purpose of information gathering regarding Controls and the control envi- 
ronment is quite different from the interrogation and discovery aim of forensic 
investigation. 

The question often arises regarding how large the survey needs to be. In 
companies with many employées, the general guidance regarding sampling 
of manual Controls may be helpful. If a multilocation entity shares a common 
control environment, even if the control activities differ from location to loca- 
tion, then a représentative sample of ail employées may be selected. When 
control environments differ, such as when divisions or segments are inde- 
pendently run, then the separate control environments should be sufficiently 
surveyed to draw some conclusion on each major location and an aggregate 
conclusion drawn overall. To keep the questionnaire short and less stressful, 
some entities ask a few questions of many employées, but vary the questions 
so that the aggregate information about the subject matter is sufficient. For 
example, one employée may be questioned about the code of conduct and 
on annual performance reviews, and another may be asked questions about 
the tolérance of the entity toward ethical lapses and the perceived tone at the 
top. Questions may also be tailored to different levels of management and 
the audit committee or the équivalent. 

In very small entities with only a few employées, a 20 to 40% coverage 
of the staff and management is not unusual and often more than adéquate 
as a basis for an attestation that Controls are effective. Different employées 
would be picked each period. 

TESTING AUTOMATED (COMPUTERIZED) CONTROLS 

When Controls are embedded in software, there is a presumed consistency in 
their operation. While that consistency is generally true, changes in programs 
to meet new user needs, new Systems implémentations, and changes in the 
basic hardware and communications software can impact the operation of 
some automated Controls. Additionally, there is always a risk of unauthorized 
changes in programs for fraudulent purposes. 

Information technology general Controls (ITGC) are those Controls that sit 
on top of the applications and ensure their continued effectiveness through- 
out the financial reporting period. They include security and access, change 
Controls, Controls over new System development and operations Controls. 
When the ITGCs are effective, only limited tests of the underlying auto- 
mated Controls are necessary, since the ITGCs serve to maintain the integrity 
of computer processing during the period. Often the walk-through of an 


122 ESTABLISHING A BASIS FOR CONTROLS EFFECTIVENESS: TESTING CONTROLS 

automated control will be sufficient evidence of effective continued operation 
(a walk-through is generally thought of as a sample of one item). 

In other cases, one or more weaknesses may exist in the ITGCs that would 
preclude reliance on the automated Controls with limited testing. If a new 
System implémentation that happened in this period did not seem to be well 
controlled, then direct tests of the data processed by the System before and 
after the change would be needed to establish reliability of the application. In 
other cases, the control might still need to be tested at several points during 
the year to confirm that the fonction is still in place as described in the control 
documentation. 

Caution should be exercised when an ITGC weakness is discovered in 
the security and access area. Some auditors wonder if anything can be done 
to test the underlying applications and data when there is an acute lack 
of security and access. The concem is that someone could, at will, change 
System procedures and perhaps change payroll data or divert checks to the 
wrong payee. With unfettered access to the programs and data, fraudsters can 
commit the deed, cover their tracks, and sometimes be able to conceal the 
System breach from discovery and scrutiny. The “duh!” here is that secu- 
rity and access issues should be addressed when identified, not sit around 
on summary deficiency sheets for individuals to debate their severity and 
implications. 

TESTING GENERAL COMPUTER CONTROLS 

In many cases, judgment, rather than sampling, is used when assessing the 
information technology (IT) general Controls. For example, in examining the 
adequacy of policies and procedures and the ségrégation of IT duties, concepts 
of sampling are rarely applicable. Determining whether the password security 
scheme meets a spécifie standard is somewhat objective, but nevertheless it 
is generally not a sampling task. Sampling concepts might be employed in 
determining which employées to select from a group in order to examine 
their password access. Observations coupled with inquiries often provide a 
significant amount of evidence regarding the overall effectiveness of the IT 
shop for the trained IT auditor. 

However, sampling sometimes can be used to verify the operation of some 
éléments of general Controls. For example, a sample of help desk issues can 
be selected to détermine whether they are being accumulated, analyzed, and 
followed up on. If the change control process occurs many times during the 
period and the same change Controls are supposed to be followed each time, a 
sample of changes may be selected, or a sample of control points and projects 


TESTING GENERAL COMPUTER CONTROLS 


123 


may be selected, and just those projects and control points would be used to 
extrapolate the results to the population changes. 

When reporting on the effectiveness of internai Controls, management and 
the auditors can be expected to gather more evidence through observations, 
inquiries, and tests of data than when the objective is limited to assessing the 
design and implémentation of such Controls. 

In my view, in most entities, the areas of security and access are critical, 
and management and the auditor must judge whether the quality of these 
Controls are commensurate with the IT risks. 

Auditor Guidance 

In 2007 the AICPA plans to release an updated audit guide, Audit Sampling. Additional 
guidance on applying sampling techniques to accounting transactions (beyond that 
in the current 2001 guide) may be helpful to the entity or external auditor. The 
information provided in this volume is anticipated to be consistent with that new 
guide. 


Appendix 6A 

Sample Size Tutorial 


SAS No. 111 (Amendment to SAS No. 39, Audit Sampling) States: 

To détermine the number of items to be selected in a sample for a particu- 
lar test of details, the auditor should consider the tolerable misstatement and the 
expected misstatement, the audit risk the characteristics of the population, 
the assessed risk of material misstatement (inhérent risk and control risk), and 
the assessed risk for other substantive procedures related to the same assertion. 

An auditor who applies statistical 1 sampling uses tables or formulas to compute 
sample size based on these judgments. An auditor who applies non-statistical 
sampling uses professional judgment to relate these factors in determining the 
appropriate sample size. Ordinarily, this would resuit in a sample size comparable 
to the sample size resulting from an efficient and effectively designed statistical 
sample, considering the same sampling parameters. 

It is not always practical to hâve computer programs or extensive tables 
close at hand when determining sample sizes for planning purposes. Sample 
sizes can be estimated easily using a few factors and a simple formula. 
For situations where more précision in the process is désirable (e.g., for 
determining amounts to be recorded, or for litigation support engagements), 
computer programs or tables may be more appropriate to détermine more 
précisé sample sizes. 


Where 


SAMPLE SIZE FORMULA 

N = C/T 


N — sample size 

C = is the confidence level factor from the following table 


1. This guidance does not suggest that the auditor using nonstatistical sampling compute a corre- 
sponding sample size using statistical theory. 


124 


FOR SUBSTANTIVE SAMPLING 


125 


T = is the Tolerable % (déviation rate or misstatement) expressed as 
a percentage of the population 


Factors 


Confidence 99 

Factor 4.61 


95 90 

3.00 2.31 


87 

2.00 


80 

1.61 


75 63 

1.39 1.00 


50 

.70 


Source: AICPA Audit Sampling Guide, 2001 ed. Appendix D. 


Example: Substantive Test-Confirmations (Existence) 
Receivables: $10,000 

Tolerable: $ 1,000 

Confidence/Reliability: 90% 

N=C/T 
N=2.3 /.1 0 
N=23 

Example: Test of Controls 
Check Authorizations: 

Tolerable Déviations: 

Confidence: 


3,000 

300 

63% 


N=1/.1 0 
N=10 


FOR SUBSTANTIVE SAMPLING 

The formula assumes a large population (over 1,000 items). It will be overly 
conservative when used in smaller populations. 

The formula is based on a probability-proportion-to-size (PPS) sample 
plan, sometimes referred to as a monetary-unit sample plan, and assumes no 
misstatements will be found. To allow for some misstatements, double the 
computed sample size. 

The formula assumes the use of proportional size (probability of sélec- 
tion is proportional to the size of the item) sélection. When the sample is 
selected favoring the larger items, the computed sample size is appropri- 
ate. When the sélection is based simply on a random sample of the items 
in the population, you will generally need to increase the computed sample 
size, as recommended in the 2001 AICPA Audit Sampling Guide (e.g., by 


126 


SAMPLE SIZE TUTORIAL 


Expected 

Déviation 

Rate 

(Percent) 



Tolerable Déviation Rate (Percent) 





1 2 

3 

4 

5 

6 

7 

8 

9 

10 

12 

14 

16 

18 

20 

0.00 

230 120 

80 

60 

45 

40 

35 

30 

25 

25 

20 

20 

15 

15 

15 

0.50 

200 

130 

100 

80 

65 

55 

50 

45 

40 

35 

30 

25 

25 

20 

1.0 

400 

180 

100 

80 

65 

55 

50 

45 

40 

35 

30 

25 

25 

20 

2.0 



200 

140 

90 

75 

50 

45 

40 

35 

30 

25 

25 

20 

3.0 




240 

140 

95 

65 

60 

55 

35 

30 

25 

25 

20 

4.0 





280 

150 

100 

75 

65 

45 

40 

25 

25 

20 

5.0 






320 

160 

120 

80 

55 

40 

35 

30 

20 

6.0 







350 

190 

120 

65 

50 

35 

30 

25 

7.0 








390 

200 

100 

60 

40 

30 

25 

8.0 









420 

140 

75 

50 

40 

25 

9.0 










230 

100 

65 

45 

35 

10.0 










480 

150 

80 

50 

40 


Exhibit 6A.1 Sample Size Table, 90% Confidence/Level 


1.1 or more times). A simple routine can be used to approximately select a 
proportional-to-size (dollar-weighted) sample: 

• Compute the average item size (total value/ of items). 

• Select two-thirds of the sample from the items larger than the average. 

• Select one-third of the sample from the items smaller than the average. 
Other approaches also can be used. 


FOR TESTS OF CONTROLS 

The formula is based on attributes sampling theory and assumes no déviations 
will be found. To allow for one déviation, double the computed sample size. 

The formula assumes the use of a random sélection where each population 
item is given an equal chance of sélection. There is no dollar-weighting of 
the sélection when testing for Controls. 

The formula assumes a large population (over 1,000 items). It will be 
overly conservative when used in smaller populations. 

Exercise 

Compute the sample size for confirmations at a 50% confidence level. 
Compute the sample size for tests of Controls at 90% confidence. 


READING A TABLE TO DETERMINE SAMPLE SIZES 


127 


READING A TABLE TO DETERMINE SAMPLE SIZES 

In general: 

1. Select the table for the Confidence Level desired 

2. Locate the sample size where the Tolerable and Expected rates intersect 
within the table. 

Example: 

Détermine an appropriate substantive sample size for a sample requiring 90% 
confidence, a tolerable misstatement of 5% of the balance and an expected 
misstatement rate of 1/2%. 

Source: Adapted from Table A.2 AICPA Audit Sampling Guide (2001). 


Appendix 6B 

CONDUCTING INTERVIEWS: GaTHERING 

Internal Control Information 


BACKGROUND 

This guidance was developed to help assist you in conducting a successful 
interview. However, the skill of interviewing is an art, and you will conduct 
more effective interviews through practice and further training. Watching 
others conduct successful interviews will also help you to build skills. 

Interviewing is generally used to: 

• Gain an understanding of the procedures and Controls that employées 
perform. 

• Obtain information regarding what other evidence exists to support the 
five components of internai control. 

• Gain evidence of consensus regarding the control environment. Con- 
trol environment evidence is often gathered from management and 
employées through surveys, focus groups, and direct interviews. 

In some cases, the information being sought through the interview process 
is qualitative, such as the tone of the organization. Such responses do not 
generally lend themselves to quantitative measures, but through daily activity 
on site, the auditor, internai auditor, or evaluator can make observations that 
are appropriate to support inquiry responses, even when other evidence is 
not practical to obtain. For some tasks, such as assessing whether antifraud 
programs or ethics policies hâve been implemented, inquiry may provide a 
principal source of evidence. 

Thus, observation is often combined with inquiry for more qualitative 
information about internai Controls. Your on-site observations will provide 


128 


EXAMPLES OF WHERE INTERVIEWS ARE USED 


129 


corroborating or disconfirming evidence that you should consider when draw- 
ing conclusions. 

Your auditors will want to assess any evidence that you hâve gathered 
about the control environment. Sometimes reviewing those procedures will 
help auditors reduce their audit effort or design other tests that do not dupli- 
cate the efforts of management to document their design, implémentation, 
and compliance with the COSO control objectives. Nevertheless, it is hard 
to envision a circumstance where auditors will reach a more favorable con- 
clusion from applying their tests than the one reached by management in 
documenting and assessing their Controls. 


EXAMPLES OF WHERE INTERVIEWS ARE USED 

Oral communication is an important element of documenting and assess- 
ing internai Controls over financial reporting. Some common areas where 
interviews will be used to gather evidence include: 

• Walk-throughs — confirming documented procedures. 

• Tone at the top and other control environment principles, objectives, 
and attributes. 

• Antifraud program awareness, implémentation, and effectiveness. 

• Ethics policies and employée awareness. 

• Personnel policies covering ethical issues and laws protecting workers. 

• Possible evidence of expérience regarding the management override 
of established Controls. The AICPA published a study that identified 
management override as the Achilles’ Heel of Fr aud Prévention. This 
report can be obtained at the AICPA site: www.aicpa.org/audcommctr/ 
download/achilles_heel.pdf. 

• Review of the password and security policies and the process for their 
implémentation. 

• Information Systems details and how they relate to the overall business 
objectives. 

• Monitoring and supervision practices. 

Wherever there is objective evidence, review and cite that as part of your 
assessment process. If there are corporate ethics and code of conduct policies, 
read them first to assess their potential effectiveness as well as to develop 
a basis for any interviews. Consider their potential effectiveness as writ- 
ten. In larger entities, human resources may keep records of employées who 
complété any required ethics or annual update. Examine these records for 
completeness and inquire about how exceptions are handled. Are the records, 


130 CONDUCTING INTERVIEWS: GATHERING INTERNAL CONTROL INFORMATION 

the policy, and interview results consistent? If so, document this. Together, 
your various procedures contribute to the evidence supporting your overall 
assessment regarding an attribute or characteristic. 

PLANNING AND STRATEGY 

Planning is essential. Consider up front when and where interviews will be 
needed to support your assessments. Often, but not always, entities share 
many common éléments of the control environment, so it may be possible to 
gather a small amount of information from a broad number of locations to 
support the overall control environment objectives. However, in some entities, 
a few locations, branches, or segments may be very different in culture and 
nature from the entity as a whole. If so, and if the location is part of the core 
of the business, you may need to apply sufficient tests and perform sufficient 
inquiries at that location to be able to conclude that the control environment 
design and implémentation are acceptable. 

When management or internai audit is visiting remote locations, consider 
doubling up the purpose of the visit so that separate trips are not necessary 
for different purposes. When procedures are performed early in the year, 
consider how you will update or confirm your earlier assessments. Generally 
this is performed by inquiry and observation. 

Consider having alternative ways of getting at the information for your 
assessment. If last year you used primarily written surveys, you may wish 
to rely primarily on interviews or focus group discussions another year. Tar- 
geting the same people every year also does not demonstrate objectivity, so 
share the wealth. If you are aware that your auditor will likely use group 
interviews, then perhaps an individual survey of issues would be more effec- 
tive and less redundant as a management procedure. It is désirable to vary the 
mode of information gathering to keep the process from becoming stale. Just 
going through the motions is a time-wasting exercise, and the entity receives 
little or no constructive feedback in the process. 

Be candid in discussing any issues raised in the interview and question- 
naire process with your auditors and in identifying any actions you hâve 
taken in response to things that were brought to your attention. This shows 
that the process is meaningful to you and avoids nasty shocks when the 
auditor later identifies these same issues as part of the audit. In response to 
suspected fraud issues, one entity hired spécial counsel to investigate and 
as a resuit were able to conclude that there was no basis for concem. That 
really impressed their auditors, and management felt very good about the 
process. 


TIPS FOR AN EFFECTIVE AND EFFICIENT INTERVIEW 


131 


FOCUS CROUPS 

Focus groups (group interviews) can be complex to conduct, due to group 
dynamics, but can also be very revealing and provide multiple responses for 
a given investment in interviewer (called a moderator) time. For example, 
it sometimes takes a few minutes to get a group to open up, and it may 
be difficult to keep the conversation on track to ensure the important points 
are fully covered and ail participants hâve a chance to contribute. Group 
members may also be reluctant to discuss sensitive issues or provide négative 
information. A sensitive moderator will understand when to circle back later 
to touchy issues or whether to address them one on one later on. When using 
focus groups, I suggest using a mix of focus groups and direct interviews to 
get the best out of both procedures: with and without the group dynamics. 

Corporate and country cultures can be important considérations in evaluat- 
ing responses during interviews. In certain country cultures, people might be 
very reluctant to question a person in authority, even in the face of over- 
whelming evidence of a problem. When interviewing people from other 
cultures, nonverbal eues can be confusing, as a head movement back and 
forth that would ordinarily indicate no response may indicate I agréé or I 
am following you. This situation was very unnerving when I experienced 
it in a classroom lecture. Be alert to such situations and factor them into 
your strategy. Some corporate cultures are more relaxed and conversation is 
encouraged, and in others, formai mémos (and even e-mails between persons 
in adjoining workstations) are the desired means of communication. These 
factors can impact the information that is communicated and the way it is 
communicated in an interview. 

TIPS FOR AN EFFECTIVE AND EFFICIENT INTERVIEW 

• Do your homework before the interview. Know the information you 
wish to gather and other relevant information regarding the topic. 

• Make sure the interview is conducted by the right person. A new junior 
accountant should not tasked with interviewing the chief financial offi- 
ces In some cases hiring a third party can facilitate the discussion. 

• Interviewing is not everybody’s bag, so do not expect that college 
or life expérience has taught the skill or how to hâve a worthwhile 
conversation. The stereotypical accountant is an introvert, but there are 
exceptions. Over time, most people can leam to improve their skills, 
and there are courses and development programs that can help refine 
such skills. 


132 CONDUCTING INTERVIEWS: GATHERING INTERNAL CONTROL INFORMATION 

• Don’t get this task tied up with fraud-focused interrogation skills. The 
last thing that you want to do is give the impression you are con- 
ducing an interrogation of a suspect. You may stumble across some 
salient information, but you should not feel empowered to ratchet up 
the conversation into something you saw on TV. There are good inter- 
rogator courses available for that sort of investigation, but that is not 
the immédiate purpose here. You want to obtain information quickly 
and efficiently and hâve the on-your-feet skills to be able to follow up 
on leads and comments. 


The Interview Process 

Unless you just hâve a quick question or two, try to arrange a time when the 
person being interviewed is not pressed for time or tightly scheduled, e.g., “I 
can give you five minutes now. . .” 

It’s a good idea to start the interview by introducing yourself (if you are 
not known to the person) and noting the purpose of the interview. 

Early on in the interview, start by asking some short factual questions. 
Mix those with a few open-ended or opinion questions to put the respondent 
at ease. 

• How long hâve you been with the company? 

• How long hâve you been in your current position? 

• Describe for me some of your daily responsibilities. 

Pay attention to nonverbal eues. If something cornes to your attention, 
such as an obvious shift in demeanor or attitude (when you mentioned the 
boss’s son), corne back to an area later in the interview with some open-ended 
questions. “How long hâve you been working with Joe? Do you work together 
on some projects? . . .” 

With nonaccounting personnel, avoid technical terms that relate to account- 
ing and auditing (e.g., “SAS,” “FASB”) and alarming wording (“We are 
required by our regulator to assess our internai Controls . . .”). Sometimes 
respondents will not understand the context in which the question is being 
asked. Be prepared to restate the question and clarify or explain. However, 
remember that you should still ask the question. Don’t be led into asking 
a different question or accepting an answer to a different question. Some- 
times an inability to understand a question that seems clear means that the 
respondent would rather not answer the question posed. 

Whenever possible, make the questions personal (Hâve you ever become 
aware of an instance where . . . How do you think the company would respond 


SCOPE AND REPORTING ON CONTROLS 


133 


if it became aware of an instance. . .). Respondents often hâve a difficult time 
speaking for the company (How would the company respond if. . 

Be prepared for the unexpected. Follow up, and gather enough information 
so that you can pursue matter later if necessary (“Sure, I was asked to override 
the normal procedures . . . lots of times . . . but I refused . . .”). 

• What happened when you refused? 

• Did they say why they asked you to do that? 

• When was the last time? 

• Are you aware of others that hâve been asked? 

Listen carefully. If you are so busy writing notes or thinking about the 
next question, you will miss the current answer. A slight pause to formulate 
the next question is not a bad thing. Don’t rush. 

One of the most alarming and distracting things you can do is to start 
to scribble furiously when the respondent is speaking. The use of recording 
devices can also unnerve respondents and diminish the effectiveness of the 
interview. Trying to type notes on a portable computer during the interview 
can also be distracting. Leam to take notes by jotting down a few key words 
on a small pad next to the questions and fill in the details after the interview 
ends. Leave yourself time to do this after the interview while your memory 
is fresh, and not later in the day or tomorrow. 

Ask for information rather than prompt with an answer: 

• Say “How would I know by looking at this that you hâve performed 
the réconciliation?” rather than “Do you then initial the invoice?” 

• Start with “Are you aware of whether the company has an antifraud 
policy?” rather than “Did you take the required refresher course this 
year on the company’ s antifraud policy?” 

When the interview is completed, thank participants for their time and ask 
if you can follow up with them later if there are further questions. You may 
need to ask for their extension or other contact in formation. 

Correlate responses with other information and observations to identify 
any issues or inconsistencies in responses. 

SCOPE AND REPORTING ON CONTROLS 

Of course, when the purpose of the documentation is limited to design and 
implémentation, little direct interviewing or surveying is probably necessary. 
Usually you can get a pretty good sense of the answers through observa- 
tions and some limited inquiries. When the scope of the documentation 
is to report on Controls, more evidence is needed to support the assertion 


134 


CONDUCTING INTERVIEWS: GATHERING INTERNAL CONTROL INFORMATION 


regarding Controls effectiveness, and you may need to employ sampling prin- 
ciples. The remainder of this section discusses some design considérations 
when management plans to report on Controls. 

Consider the nature of the inquiry, and identify a potential population 
of respondents. When the scope of the inquiry includes the company as a 
whole (e.g., awareness of the corporate ethics policy), you should gather 
evidence from a variety of personnel groups, including production and sales 
personnel, administrative personnel and management. While the sample will 
not necessarily cover ail groups in any one year, it should include a variety of 
personnel groups and may focus on some groups more intently in some years. 

The extent of testing (sample size) is a difficult concept to operationalize in 
this context. Two examples of applying judgment in determining the extent of 
required procedures when assessing employées’ awareness and understanding 
of the company’ s codes of conduct and ethics by employées follow. 

EXAMPLE 1: 

Company A is comprised of a single plant in one location. Human resources 
(HR) instructs ail new employées on the company code of conduct and ethics 
and requires an annual confirmation by existing employées that they hâve read and 
understand its provisions. The total number of employées is 5,000. Documentation 
of compliance with the policy is available in HR. 

■ The code should be reviewed for content and understandability. 

■ The company has tested its records of policy compliance by 30 interviews 
of 10 minutes each and also through a company-wide e-mail survey. It has 
identified no exceptions. 

■ Toward the end of each interview, an open-ended question is asked about 
the employee’s awareness of any risks or instances of fraud. 

EXAMPLE 2: 

Company B is comprised of one manufacturing and distribution location with 
20 employées. Many of the employées hâve been with the company for over 
10 years. The company is profitable and its employées seem fairly compen- 
sated and dedicated to the company and long-term service. Top management 
is comprised of two partners. This year the company drafted and circulated an 
ethics policy and posted it in a common location. The policy was reviewed at an 
“all-hands” meeting. 

Testing: 

The company needs sufficient evidence to be able to assert that there is adéquate 
understanding of and effectiveness of the code of conduct and ethics policy. 


FOLLOWING UP 


135 


Because of the low number of employées, two administrative and 2 production 
workers were chosen at random, and, in addition, one business partner answered 
questions from the Treasurer regarding the policy, its understandability and the 
discussion at the “ail hands” meeting. This was sufficient for the company to 
conclude that the policy was implemented and seems to be effective. 


FOLLOWING UP 

There will be instances when follow-up will be necessary. Often issues and 
comments can be clarified by a simple phone call, but if significant additional 
in formation is needed, schedule a follow-up meeting. 

Remember that a strong suspicion of fraud or evidence of fraud should be 
communicated within the organization to a level above the suspected person 
involved, and it may call for a timely communication to the entity’s gover- 
nance body. You may need to secure legal advice if you are not sure of the 
next steps to take. Most organizations hâve legal advisors who may be help- 
ful. Management or the govemance body may engage independent, trained 
forensic investigators to examine a suspected fraud situation more closely. 
Employées and even CPAs are not generally trained as fraud examiners, and 
evidence can be altered or destroyed in a short time if employées believe that 
they hâve been targeted for investigation. Don’t play détective. Timeliness 
and proper action is of the essence if fraud is présent. 



7 

Assessing Design Effectiveness 
and Operating Effectiveness 


IT'S INEVITABLE 

In the process of documenting Controls, you are likely to encounter deficien- 
cies in the design of the Controls, most often a control objective that is not 
being addressed or is only partially addressed by the control that is in place. 
If you do not hâve a control over the sélection of vendors for fulfilling vari- 
ous service needs, you might run the risk that business could be diverted to 
a vendor who will share some overbillings with the accountant directing the 
business to it. This happens in public companies, and it can happen anywhere. 

In the monitoring function, or if you are testing Controls in order to make an 
assertion about them, you might find that the Controls did not operate as they 
should and were sometimes ineffective. You might find through the auditor’s 
procedures or through customer returns and complaints that your Controls 
failed and led to substantive errors on the financial statements, even though 
your tests showed that the Controls seemed adéquate and to be working. 

An odd aspect of Controls assessment is that finding errors in the financial 
statements generally implies a control failure of some sort, but not finding 
a substantive error in the financial data does not imply the Controls are 
working. This oddity is caused by the fact that even in the absence of any 
real Controls, the processes may be performed by individuals who are honest 
and competent and diligent. Thus, even though what we call Controls may 
be lacking, correct financial data and reports can be produced. As mentioned 
previously, the “could” factor drives the severity of a deficiency. In assessing 


137 


138 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


the severity of control deficiencies, you need to look beyond the amount 
of any actual misstatements associated with the deficiency and assess the 
likelihood and magnitude of potential deficiencies that could resuit from the 
misstatement. 

Only automated Controls should be expected to operate the same way each 
time. We humans hâve our ups and downs and sometimes fail to give each 
detail the attention it deserves, so manual Controls generally are less reliable. 
The downside of automated Controls is that they will operate exactly as pro- 
grammed. When unusual situations arise, automated Controls may not perform 
as you expect, depending on how the function is programmed. Computers 
are generally not able to exercise judgment. 

Expect to encounter some deficiencies when undertaking to document and 
test internai Controls. As many public companies of significant size came to 
realize in 2004-2005, there are a lot of bases to be covered before you can 
conclude that Controls are designed and working effectively. A survey by 
Ernst & Young in 2005 noted that 25% of companies with over $5 billion 
in sales remediated over 500 Controls in their first year of assessing and 
reporting on the effectiveness of their internai Controls. 1 Recall that these were 
considered among the largest and most well controlled entities in the world, 
many with significant internai audit staffs. In prior years, their auditors may 
hâve relied on their internai Controls for audit assurance, but a doser scrutiny 
revealed quite a few holes. The application of the Controls framework based 
on Committee of Sponsoring Organizations (COSO) concepts, while not new, 
was certainly performed with greater depth and structure under the rigorous 
Public Company Accounting Oversight Board (PCAOB) Auditing Standard 
No. 2, An Audit of Internai control over Financial Reporting Performed in 
Conjunction with an Audit of Financial Statements. 

As attributed to Yogi Berra, “It’s amazing what you see when you look.” 

Identifying deficiencies and weaknesses in Controls does not make you a 
bad business person, and you hâve not “messed up.” Do not attach a moral 
label to the issue at the outset. If you identify issues and refuse to make adjust- 
ments, then it is OK to flog yourself in shame (just kidding). Let’s look at 
the worst thing that can happen here. You are an audited entity (I assume this 
because you are reading this book), and even if you hâve weaknesses in Con- 
trols, as long as your auditor can gather the information necessary to audit the 
financial statements, you can still receive a “clean” audit opinion. However, 


1. E&Y, “Emerging Trends in Internai Controls: Fourth Survey and Industry Insights” (September 
2005 ). 


IT'S INEVITABLE 


139 


under reinvigorated auditing standards on communications regarding internai 
control, auditors should communicate significant deficiencies and material 
weaknesses in Controls to management and those charged with govemance 
(e.g., owners, boards, township committees, etc.) in writing. 2 

Over the years, the frauds and financial statement misstatements found 
in private, not-for-profit, and government entities can be traced directly to 
the ineffectiveness of Controls design and operation. For the most part, this 
required auditor communication to the entity créâtes a clear record of the 
issues auditors and management and owners discussed so that later finger- 
pointing about who told who what is less subjective. The auditor does not 
share this communication with third parties, and unlike when a company 
chooses or is required to report on internai Controls, the communication is 
not part of the financial statements. Over time, it is possible that venture 
capitalists, entities that award grants and contracts, regulators, and other third 
parties may ask companies about these communications, but right now is the 
time is right to fix the issues. 

Additionally, the private entity seeking someday to go public or attract a 
suitor (buyer) might use a report on effective internai Controls as an indicator 
of value that can provide a compétitive advantage in the marketplace. Some 
private entities hire their auditors to perform an attestation on the effectiveness 
of their internai Controls, and that auditor report on internai Controls (under 
AT 501 of the professional auditing standards) can be published with the 
financial statements and communicated to potential investors. 

Various levels of deficiencies hâve been identified in Controls writings. In 
order of decreasing severity they are: 

• Material weaknesses 

• Significant deficiencies 

• Deficiencies 

• Exceptions 

The good news is that many issues encountered in the assessment, testing, 
and monitoring of Controls are simple to assess. There is no need to go 
through a tortured assessment of likelihood and magnitude and follow a 
step-by-step process in thinking through the classification. For example, if 
there is no control to ensure that crédit sales will be collectable, and such 


2. SAS No. 112, Communicating Internai Control Related Matters Noted in an Audit — effective for 
private company, nonprofit, and government (nonissuer) financial audits for periods ending on or 
after December 15, 2006, AICPA, New York, 2006. 


140 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


sales are voluminous (such as with a retail operation where consumer crédit 
sales are common), then the deficiency quickly rises to the level of a material 
weakness. If a company does not hâve the technical resources to account 
properly for its transactions under generally accepted accounting principles 
(GAAP) and préparé financial statements, it’s a pretty easy call. However, 
at the margin, the need for following a structured approach to assessing the 
severity of the deficiency becomes more évident. 

Many managers and auditors note that after they follow a structured process 
a few times, the calls and judgments are easier to make. The simple process of 
building expérience will assist you over time in making consistent judgments. 
Sharing their thought processes will also help auditors and companies reach 
consistent and supported conclusions. 

If management is committed to changing the processes and meeting the 
Controls performance expectations when deficiencies are identified, the need 
to precisely define such deficiencies also déclinés, since change and correc- 
tion are likely to follow. When management is more cost-benefit conscious 
or is reluctant to make changes, the assessment process can be more im- 
portant. 


DEFINITIONS OF SIGNIFICANT DEFICIENCIES AND MATERIAL 
WEAKNESSES 

In the discussions that follow, we will be focusing on the various levels of 
deficiencies. Exceptions are findings from tests that do not even rise to the 
level of deficiencies but are simply findings that need to be considered, as 
they might, in combination with other exceptions, indicate deficiencies. For 
example, in documenting a control, suppose there were some points in the 
documentation that were inaccurate or not complété, but not to the point 
of being misleading or wrong. Suppose in the Controls testing process you 
found that certain data fields, other than the financial data fields you were 
focusing on, had missing or inaccurate information, but such issues did not 
affect the data you were working with or your ability to verify the reported 
transaction in formation. Those might be exceptions. While not major issues, 
sloppy documentation and record keeping in general could indicate a more 
serious issue and should not be ignored. 

The public company auditing standards and the standards “for the rest 
of us” share the same définitions of the terms “significant deficiencies” 
and “material weaknesses.” According to PCAOB Auditing Standard No. 2 
(2004): 


DEFINITIONS OF SIGNIFICANT DEFICIENCIES AND MATERIAL WEAKNESSES 


141 


8. A control deficiency exists when the design or operation of a control does 
not allow management or employées, in the normal course of performing 
their assigned functions, to prevent or detect misstatements on a timely 
basis. A deficiency in design exists when: 

a. a control necessary to meet the control objective is missing or 

b. an existing control is not properly designed so that, even if the control 
opérâtes as designed, the control objective is not always met. 

A deficiency in operation exists when a properly designed control does 
not operate as designed, or when the person performing the control does 
not possess the necessary authority or qualifications to perform the control 
effectively. 

9. A significant deficiency is a control deficiency, or combination of control 
deficiencies, that adversely affects the company's ability to initiate, autho- 
rize, record, process, or report external financial data reliably in accordance 
with generally accepted accounting principles such that there is more than 
a remote likelihood that a misstatement of the company's annual or intérim 
financial statements that is more than inconsequential 3 will not be prevented 
or detected. 

Note: The term “remote likelihood" as used in the définitions of sig- 
nificant deficiency and material weakness (paragraph 10) has the same 
meaning as the term "remote" as used in Financial Accounting Standards 
Board Statement No. 5, Accounting for Contingencies ("FAS No. 5"). Para- 
graph 3 of FAS No. 5 States: "When a loss contingency exists, the likelihood 
that the future event or events will confirm the loss or impairmentof an asset 
or the incurrence of a liability can range from probable to remote." This 
Statement uses theterms "probable," "reasonably possible," and "remote" 
to identify three areas within that range, as follows: 

a. Probable. The future event or events are likely to occur. 

b. Reasonably possible. The chance of the future event or events occurring 
is more than remote but less than likely. 

c. Remote. The chance of the future events or events occurring is slight. 

Therefore, the likelihood of an event is "more than remote" when 
it is either reasonably possible or probable. 

Note: A misstatement is inconsequential if a reasonable person 
would conclude, after considering the possibility of further undetected 
misstatements, that the misstatement, either individually or when aggre- 
gated with other misstatements, would clearly be immaterial to the 
financial statements. If a reasonable person could not reach such a 
conclusion regarding a particular misstatement, that misstatement is 
more than inconsequential. 


3. While not part of the définition or any official literature, the threshold between ‘înconsequenual” 
and “significant” deficiencies has corne to mean around 20% of materiality in audit practice. 


142 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


10. A material weakness is a significantdeficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a material 
misstatement of the annual or intérim financial statements will not be 
prevented or detected. 


As of spring 2007, the PCAOB was considering a softening of this déf- 
inition in its Exposure Draft (ED) of Auditing Standard No. 5 (a proposed 
replacement of AS No. 2). If this is adopted, American Institute of Certified 
Public Accountants (AICPA) auditing standards are also likely to be changed 
to conform to the revised définition. The practical implication is that some 
marginal weaknesses or significant deficiencies may move down to the next 
lower category under the revised définitions, but since most deficiencies fall 
well to one side or the other of the margin, any such change likely will not 
significantly affect the severity assessment of many identified deficiencies. 4 

Framework for Assessing the Severity of Deficiencies 

In 2004, amid the sorting-out of the public company requirements, an implé- 
mentation task force was formed from the larger firms plus an academie 
member. A major problem with the implémentation of the aforementioned 
définitions was that companies and auditors were unable to apply consistent 
judgments. An inhérent limitation with conceptual guidance and définitions 
is that once the documentation, control design assessments, and tests of Con- 
trols are complété, assessing the severity of the identified deficiencies is more 
art than science. Both companies and auditors found it hard to “dollarize” 
the implications of control deficiencies, particularly when misstatements of 
amounts were not associated with control deficiencies or failures. 

Entities and auditors with the same information could reach different 
conclusions regarding the severity of a deficiency, particularly when the 


4. The PCAOB No. 5 ED proposes these définitions: “A significant deficiency is a control defi- 
ciency, or combination of control deficiencies, such that there is a reasonable possibility that 
a significant misstatement of the company’ s annual or intérim financial statements will not be 
prevented or detected. Note: A significant misstatement is a misstatement that is less than mate- 
rial yet important enough to merit attention by those responsible for oversight of the company’ s 
financial reporting 

“A material weakness is a control deficiency, or combination of control deficiencies, such that 
there is a reasonable possibility that a mater I m atement of the company’ s annual or intérim 
financial statements will not be prevented or detected. 

“Note: There is a reasonable possibility of an event, as used in the définitions of material 
weakness and significant deficiency, when the likelihood of the event is either "reasonably possi- 
ble” or “probable,” as those terms are used in Financial Accounting Standards Board Statement 
No. 5, Accounting for Contingencies (FAS No. 5).” 


KEY FACTORS WHEN ASSESSING THE SEVERITY OF A DEFICIENCY 143 

deficiency is on the margin between one category and another. However, the 
assessment was not intended to be a subjective, random guess, or decided 
on the basis of the strength of personalities. There should be principles and 
reasoning approaches that can lead reasonable people to reach a similar con- 
clusion about a given situation. 

It was in this spirit that the implémentation task force created a document, 
A Framework for Evaluating Control Exceptions and Deficiencies , which was 
posted to the Web sites of the major firms and organizations for wide dissém- 
ination. 5 While not endorsed or required by the PCAOB, it was referred to 
in speeches as being a way to meet the concepts in the standard, a sufficient 
“blessing” to encourage many companies and auditors to follow its principles. 
The document was produced in three progressive releases; the third and final 
release in the cumulative sériés was December 20, 2004. That document is 
reproduced in Appendix 7A for user reference. 

While public company guidance may seem irrelevant to those entities oper- 
ating in nonpublic-company markets, to unify concepts and terms, the AICPA 
has tried to avoid creating nuance-level différences in the implémentation of 
private company and public company deficiency définitions. After ail, the 
genesis of the current public company guidance was guidance and défini- 
tions developed for ail companies (public and private) years ago and adopted 
by the AICPA, and it has been in use for a long time in audit practice. 
The COSO Framework has not been as explicit in how to assess the sever- 
ity of identified deficiencies as the auditing guidance in this area, so that is 
the reason for the focus on the auditing literature regarding this issue. The 
Sarbanes-Oxley Act (SOX) requirements for ail public companies to report 
on internai control heightened the need for companies and auditors to share a 
common vision of how to assess the severity of identified deficiencies. Com- 
panies, in particular, were unfamiliar with the concepts, and thus the need 
for broad communication of the guidance. 

The pioneers in 2004 laid the general groundwork for how to assess the 
deficiencies, and that is the perspective taken in this book. 

KEY FACTORS WHEN ASSESSING THE SEVERITY 
OF A DEFICIENCY 

Before getting into the mechanics of assessing deficiencies in design and 
operation, we should take a bird’ s-eye view of the factors and characteristics 


5. The author 


member of this initial implémentation task force from 2003 through mid-2005. 


144 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


that can affect your assessment. These variables include the: 

• Purpose and level of the control 

• Objectives and timing 

• Potential likelihood and magnitude of the misstatement 

• Business characteristics and risk environment 

Gaining familiarity with these factors will help you to work through the 
assessment process and over time will help you to build the judgment nec- 
essary to assess control deficiencies more consistently. These factors should 
be considered by entities and auditors alike and may assist in discussing any 
différences in opinion that may arise in assessing the severity of a deficiency. 

Purpose and Level of the Control 

Before severity can be assessed, deficiencies need to be considered in the 
context of the purpose and level of the control. Controls that are strictly 
related to operations are not the focus of financial reporting. For example, 
Controls over stocking levels in a retail operation may be ineffective, result- 
ing in lost sales or excess inventory. The lost sales aspect would not hâve a 
financial reporting implication, but the excess inventory, if it might lead to 
spoiled or damaged goods, might hâve a financial conséquence. If assessing 
inventory spoilage or damage was already included somewhere in the finan- 
cial reporting cycle procedures, then the lack of an effective ordering and 
restocking control might be of negligible conséquence, even though it might 
hâve conséquence to the business as a whole. 

Recall that the COSO Framework identified three components of internai 
control: 

• Operations 

• Financial reporting 

• Compliance with régulation 

Our primary focus is on financial reporting Controls, but care needs to be 
taken in excluding processes that hâve overlaps and financial implications. 
In many cases, the lack of a process and Controls to capture risks associated 
with regulatory issues, such as environmental and pollution laws, would be 
a deficiency. A company that is in a highly regulated industry that fails 
to hâve an effective regulatory compliance monitoring function is likely to 
be assessed with a material weakness. A lack of awareness and Controls 
to prevent or detect violation of labor laws relates to the human resource 
function and would generally be scoped into an assessment of a deficiency 
of some magnitude where management plans to report publicly on the Controls 
effectiveness. In cases where the Controls are tangential to financial reporting, 


KEY FACTORS WHEN ASSESSING THE SEVERITY OF A DEFICIENCY 


145 


entities should be prepared to demonstrate how processes and Controls are in 
place to capture information that might be relevant to the financial statement 
amounts or disclosures (e.g., a potential risk or liability). 

In Controls theory, some Controls are by their nature Controls that other 
Controls rely on. For example, if a computer report is generated that shows 
unmatched orders and shipments for manual réconciliation, the effectiveness 
of the manual control is dépendent on the effectiveness of the computerized 
(automated) control. Similarly, if automated computer processes are dépen- 
dent on the integrity of the access control and security to the computer files 
and programs, ineffective security can trump the otherwise apparently effec- 
tive underlying application control. As a final example, if management is 
prone to override Controls when it is convenient for them to do so, then ail 
the underlying Controls are potentially compromised. This implied hierarchy 
of Controls is an element to be considered in the assessment of deficien- 
cies. Obviously a related control or process that is out of control can hâve 
significant implications for other Controls. A poor control environment can 
poison the entire System and can rarely be compensated for by lower-level 
Controls. A CFO who commits a theft affects a Controls assessment more 
than a clerk who lifts some petty cash. Pervasive access and security weak- 
nesses hâve more severe conséquences than deficiencies in a payroll process, 
where employées are likely to notice and report errors. So the concept of 
both underlying and overarching Controls helps “position” the control and 
provides dues to how severe a deficiency in that control might be. 

Objectives and Timing 

Many entities using this book to better understand Controls are not intending 
to report publicly on internai Controls anytime soon. Nevertheless, there is not 
a lower standard by which Controls are assessed or deficiencies measured for 
smaller or for nonpublic entities. Your overall objectives can still impact your 
approach to the analysis and the severity and implications of some identified 
deficiencies. 

Let’s say you or a consultant under your direction embarked on a Controls 
assessment assignment early in the new year as an exercise in identifying 
opportunities to improve Controls, as you know improvements are probably 
necessary. The severity of any deficiencies identified from this exercise may 
not require as much detailed analysis as had they been discovered late in 
the period or during the audit. Since the intention of the early project is 
to correct ail major issues, the concem is just to ensure that ail potentially 
significant deficiencies are promptly corrected. Those that you choose not 
to correct because they are insignifiant should not be able to corne back 


146 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


and bite you later on. Thus, plan to correct just about everything that is a 
deficiency. 

In general, if deficiencies were identified during the year, care needs 
to be taken both by management and the auditor that transactions which 
were processed but not effectively controlled were nevertheless still correctly 
processed and accounted for. This requires some additional monitoring and 
testing of those transactions. Auditors cannot rely on Controls during peri- 
ods of ineffectiveness, so significant deficiencies and material weaknesses 
will generally resuit in more audit testing of transactions and balances and 
less reliance on Controls in those areas. For purposes of this assessment the 
severity of the deficiency is more important, as it will dictate an appropriate 
response to the issue. 

An anomaly arises if the purpose is to publicly report on Controls. In 
public companies, reports relate to Controls “as of ’ the spécifie reporting date: 
the ending date of the balance sheet. Entities that are not public follow the 
guidance in AICPA’s Attestation Standard AT 501 for reporting on Controls; it 
permits reports to cover Controls either within a period or “as of ’ a reporting 
date. When reporting on Controls within a period, a weakness identified and 
corrected in that period would still be reported, even if it was remediated 
and tested to be effective by the end of the year. When reporting “as of ’ 
a date, past remediations, if effective, would not be included in the report 
and a clean opinion could be issued. This has important implications for 
those publicly reporting on Controls or seeking an auditor opinion on the 
effectiveness of Controls. The reporting period or reporting date selected can 
affect the assessment of a deficiency and détermine whether the deficiency 
will impair your ability to attest to the effectiveness of your Controls. 

In addition, in the ITGC area, the “as of ’ date for reporting on Controls has 
another peculiar wrinkle for deficiency assessment. If a deficiency in, say, 
change control procedures or new Systems development procedures exists, the 
practice convention has arisen that the severity of the deficiency is initially 
dictated by the severity of any deficiency in the underlying Controls identified 
as of the reporting date. Say, for example, it is found that the sales Process- 
ing System has been incorrectly generating sales and receivables because of 
reference to an incorrect data table, and this deficiency can be traced to a 
defective change control process earlier in the year. If the deficiency in the 
sales System is deemed a material weakness, the ITGC deficiency would 
also be identified as a material weakness. Had the same déficient change 
control process not resulted in any known application-level deficiencies, the 
same déficient ITGC would be simply a deficiency for purposes of the “as 


KEY FACTORS WHEN ASSESSING THE SEVERITY OF A DEFICIENCY 


147 


of ’ internai Controls report, but its severity for financial reporting purposes 
would be assessed separately. This was not an intuitive conclusion for many 
information technology (IT) professionals but is based on the general view 
that ITGC deficiencies do not create misstatements but open the door to 
misstatements, and the underlying computer Systems and processing Controls 
are the front line in ensuring proper accounting. There is some debate as to 
whether this logic holds true for issues of security and access, since weak- 
nesses in that aspect of ITGC could lead to System changes or unauthorized 
transactions that could later be hidden from discovery, depending on the 
nature and severity of the security weakness. 

This factor can be a point of confusion during discussions of the supposed 
synergy that exists between an audit of financial statements and the reporting 
on the effectiveness of internai Controls. 

Potential Likelihood and Magnitude of the Misstatement 

AICPA and PCAOB literature clearly indicate the important rôle of the poten- 
tial likelihood and magnitude of misstatement. The term “likelihood” relates 
to the chance that a misstatement might be caused by the deficiency. Gener- 
ally, if you are at the stage of assessing the severity of a deficiency, you hâve 
already met the likelihood threshold. A deficiency in design of an important 
control (the attribute or objective cannot be met because the design of the 
control is insufficient to do so) passes this test right away, since there is no 
control in place and the “could” factor indicates that misstatement is not con- 
trolled. When the deficiency is identified as a resuit of observations or tests 
of the control, the déviation rate observed can be a strong indicator of the 
likelihood that misstatement could occur. If a test is designed at a minimum 
sample size and expecting no déviations, then finding one or more déviations 
generally means that the test cannot support the desired conclusion at the 
level of assurance desired. The resuit fails the likelihood threshold, and the 
assessment moves on to estimate the possible magnitude of the deficiency. 

Chapter 6 addressed the sampling and testing considérations inhérent in 
assessing the operating effectiveness of Controls and includes guidance on 
extending tests when initial ones are inconclusive or provide less assurance 
than desired. For reference regarding the likelihood issue, you may wish to 
look at Exhibit 7A. 1 in Appendix 7A. 

When assessing the magnitude, the volume of control dollars (gross dollar 
exposure) that could be affected by the control deficiency is estimated. For 
example, if the System fails to add proper shipping charges to a certain 
type of sales, then the gross exposure can be estimated by the potential 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


misstatement of the shipping charges on the total volume of those types of 
sales. When important Controls fail when tested, the volume of transactions 
that pass through that control point generally will cause the magnitude of the 
deficiency to be significant or material. 

Before determining the severity of the deficiency, you should consider 
if there are other Controls, including monitoring Controls, that might com- 
pensate for or mitigate the ineffective control and limit the magnitude of 
the deficiency to something less than materiality. Finally, you need to step 
back from the situation and apply a reasonable person test (e.g., the prudent 
official test) to the misstatement. Does your assessment pass the sniff test 
if the circumstances were revealed in the newspaper the next day? Is it a 
believable conclusion, regardless of the contortions you underwent to draw 
it? For most control activities, magnitude assessments follow the guidance 
in Exhibit 7A.2 of Appendix 7A. This exhibit will be used later on when 
illustrating the assessment of a few example deficiencies. 

Business Characteristics and Risk Environment 

Consider the business as a whole and the relative risks and importance of 
the function exhibiting the deficiency when assessing the severity of a defi- 
ciency. You may also consider this factor as a component of the likelihood 
assessment, but some prefer to ensure it is at least clearly articulated dur- 
ing the assessment process. Suppose your business was highly dépendent on 
spécifie company intellectual property and knowledge contained within your 
Systems. One might expect you would be very concemed about the theft or 
corruption of that data and would hâve industrial-strength security and Inter- 
net firewall protection. A community service organization also needs security 
and intruder protection, but to the same degree? Of course not. 

Suppose that passwords are in place, but password security is simple (e.g., 
five-character minimum), and passwords are not changed several times a year, 
as is generally recommended. Although that situation would be a deficiency 
to both entities, it might be much more severe for the intellectual property 
risk entity than for the community service organization. The importance of 
the data and the risk of industrial espionage heighten the severity of the 
deficiency in one environment versus the other. Do not generalize that smaller 
companies hâve a lesser standard to fulfill. It is just that the underlying risks 
might be lower and the amounts and things at risk might not attract the 
most sophisticated of fraudsters and hackers. There are plenty of examples in 
Chapter 8 of not-for-profit, religious organization, and govemment program 
frauds that were supported by loose Controls. However unattractive you think 


CONDITIONS INDICATING CONTROL DEFICIENCES 149 

you might be as a target for a fraud, there are lots of opportunists who 
will take you on and exploit any opportunity you provide. In fact, charities 
and religious organizations are frequent targets because they are often so 
vulnérable and trusting. 

Because govemments often control so much money, they are frequent 
targets of fraudsters through a variety of scams. However, according to the 
statistics, in recent years govemment Controls awareness has reduced the 
instances and magnitude of govemment frauds. Actually, as cited before, the 
2006 survey on occupational fraud noted that the médian reported fraud in 
private companies was actually larger than for public companies and almost 
twice the médian fraud amount for govemments. 

As another example, suppose a business is paperless and ail transactions 
and documents are stored in electronic form and images. Timely data backups, 
disaster planning, and offsite storage issues would be more critical to this type 
of business than many others due to its reliance on Systems and data. The 
quality of the IT general Controls should be correspondingly high. 

CONDITIONS INDICATING CONTROL DEFICIENCES 

The auditing community standards literature defines a number of issues and 
situations that should be considered deficiencies of some level of severity. 6 
The final assessment of the severity is dépendent on judgment, as there are 
degrees of deficiency. 

Exhibit 7.1 contains examples of more severe deficiencies. 

In-House Accounting Expertise 

Smaller entities hâve particular problems in securing at a reasonable cost 
the accounting expertise and expérience necessary to properly account for 
ail transactions and préparé the financial statements. Not every entity can 
afford the level of in-house expertise necessary to handle unusual situations, 
perform the tax accrual (i.e., création of tax expense and deferred tax amounts 
when the tax and financial records are not in sync), and close the books and 
make appropriate accruals and draft financial statements. The inability to 
perform these functions is considered an internai control deficiency that may 
be severe enough (e.g., a significant deficiency or a material weakness) to 
require communication to management and those charged with govemance 
every year. 


6. SAS No. 112, Communicating Internai Control Related Matters Noted in an Audit. 


150 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


• Entity accounting expertise insufficient to effectively select and apply the appro- 
priate GAAP accounting principles to the transactions of the entity. 

• A lack of antifraud programs and Controls, and awareness of fraud risks. 

• A lack of Controls over nonroutine and nonsystematic transactions. 

• Insufficiently designed Controls over the period-end closing process and prépa- 
ration of the financial reports. This includes the calculation and recording of 
periodic adjustments such as dépréciation and amortization expenses, fair value 
measurements as required by GAAP (in accounting for changes in some investment 
holdings and for testing impairment of asset values), and the provision for accrued 
expenses, allowances and reserves. 

• Lack of oversight of the entity's internai control over financial reporting by "those 
charged with governance." 

• Restatement of previously issued financial statements to reflect past accounting 
errors. A restatement to reflect changes in accounting principles to comply with 
a new accounting standard or a voluntary change from one generally accepted 
accounting principle to another would not indicate a deficiency. 

• The auditor's discovery of a material misstatement or an aggregate of misstatements 
that were material in the financial statements for the period under audit, including 
misstatements of estimâtes and accruals. These would be considered material 
misstatements even if the entity corrected these items identified by the auditor. 
Becausethe auditor is not considered an element of internai control of the entity, it 
is the entity's responsibility to préparé GAAP financial statements and disclosures. 

• An ineffective internai audit function in larger and more complex entities where 
the monitoring and risk assessment functions are important to the entity. 

• For regulated entities, an ineffective regulatory compliance function that could 
hâve a material effect on the reliability of financial reporting. For example, if 
the issuance of additional debt instruments is essential for the continued financial 
viabilityof an entity, and regulators may prohibitsuch issuancesduetofailingother 
regulatory requirements, disclosures and possibly accruals might be necessary to 
reflect the circumstances. An attitude of contemptor indifférence toward regulatory 
requirements might also indicate a more general control environment deficiency. 

• Identification of any magnitude of fraud on the part of senior management and 
officiais. Senior management includes owners, the senior financial and accounting 
officers, etc. The reason for this concern is the possible implications on the 
control environment and the existence of evidence that such behavior exists in 
this management group. This issue includes, but is not limited to, deliberately 
overstated requests for "expense" reimbursements and the use of entity funds for 
items or services of a personal nature without recording compensation expense. 

• An attitude on the part of management or those charged with governance that 
créâtes indifférence to correcting known significant deficiencies or material weak- 
nesses in internai Controls. 

• An ineffective control environment. Since the control environment sets the "tone" 
of the organization, an ineffective control environment is unlikely to be overcome 
by Controls at the more detailed level. Of particular concern in smaller entities 
is the existence or risk of management override of Controls where management 
or owners instruct employées to perform actions outside the normal operating 
procedures (e.g., make payments without adéquate documentation or invoice 
support). 


Exhibit 7.1 Examples of More Severe Deficiencies 


CONDITIONS INDICATING CONTROL DEFICIENCES 


151 


A practical way to address this issue may be to upgrade the skill sets 
of the accounting staff to include the knowledge and techniques necessary 
to perform some of these functions. Another alternative some hâve found 
to be cost-effective is to hire another accountant on a Consulting basis to 
perform these basic functions and to préparé the books, records, and financial 
statements for the extemal auditor review. Often Consulting accountant fees 
will be less than those otherwise charged by an independent auditor for the 
same service. Some entities hâve actually reduced total costs by securing 
timely Consulting advice and minimizing independent auditor costs. 

Under current AICPA rules, the independent auditor can assist clients in 
making adjustments and preparing the financial statements and disclosures, 
but he or she still needs to identify if the reason for performing such services 
is due to the entity’s inability to perform these control functions. When a 
deficiency is deemed to exist, the auditor needs to assess its severity and 
communicate with management or those charged with govemance when the 
deficiency is a significant deficiency or a material weakness. 

Other Deficiencies 

Other deficiencies in either the design or operation of Controls may be identi- 
fied by management through testing or the monitoring fonction, or they may 
be implied by customer complaints and spécial allowances or returns or mis- 
stated financial statement amounts. These deficiencies can range in judgment 
from trivial to material, depending on the facts and circumstances. Judgment 
and considération of qualitative factors are necessary in assessing severity. 
Many of the operating deficiencies in control activities and IT general Controls 
would be run through the Deficiency Framework charts to assist in assessing 
the severity. Exhibit 7.2 présents deficiencies that might be encountered. 

Inadéquate Documentation 

While documenting company Controls has been a requirement of public com- 
panies for many years, lack of adéquate Controls documentation is a deficiency 
for any entity. Without Controls documentation, it may be difficult to identify 
the Controls that exist and the gaps that should be iden t ified and corrected. It 
may be difficult for management to monitor Controls that are not documented 
and to create consistency in processing and Controls over time, when entity 
accounting staff retire or change. Most people can relate to the parlor game 
where a joke or phrase is passed via oral communication from person to 
person, and the beginning and ending communications are often found to be 
quite different. The same can happen with oral policies and procedures: They 


152 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


Design Deficiencies 

• Inadéquate design of internai control over a significant account or process, 
including the préparation of the financial statements. 

• Inadéquate documentation of internai control (ail five components). 

• Insufficient attention to creating the proper control environment — for example, 
tone at the top, lack of ethics statements, fraud consciousness, or communication 
of values. 

• Inadéquate ségrégation of duties within a significant account or process. 

• Absent or inadéquate physical Controls over the safeguarding of assets from loss 
or theft (e.g., "shrink" in the retail industry). If an entity has excellent accounting 
Controls to identify any physical loss before the financial statements are prepared, 
that may be an adéquate compensating control to mitigate the financial reporting 
weakness, but management should assessthe risksand costs offailingto implement 
préventive measures to mitigate losses. 

• Inadéquate attention to the design of information technology (IT) general Controls 
(e.g., security and access, change Controls, new System implémentations and 
operating issues) and accounting-related software application Controls that may 
prevent the information System from processing authorized transactions as needed 
for financial reporting and monitoring needs. 

• Employées or management who lack the qualifications and training to apply 
generally accepted accounting principles in recording transactions or the skills 
and knowledge to préparé the financial statements and footnotes. 

• Ineffective design or documentation of the monitoring function. 


Operating Deficiencies 

• Observed deficiencies in the performance of Controls over a significant account 
or process. This may be observed from a failure to perform a control, such as 
a bank réconciliation or the failure to adequately follow up on exceptions that 
should be investigated or as a resuit of a financial statement error that would 
imply a control failure. Recall that the absence of financial statement deficiencies 
is not an indicator that Controls are operating effectively, but the identification of 
misstatements is a valid indicator that Controls may hâve not operated effectively. 

• Failures of safeguarding Controls to prevent loss from damage or theft that are 
not timely detected by financial accounting Controls and properly reported in the 
financial statements and communicated to management. 

• Failures of the reports and other information and communication components 
to provide timely, accurate, and relevant information to the appropriate levels of 
personnel and management to enablethem to perform their management functions 
and monitor operations and related financial data. Flooding management with 
irrelevant information that obscures relevant information is as much a deficiency 
as failing to provide adéquate information. 


Exhibit 7.2 Design and Operating Deficiencies 


CONDITIONS INDICATING CONTROL DEFICIENCES 


153 


will migrate over time and circumstances, often becoming something quite 
unintended. 

At a certain level, the total lack documentation of processes and Controls 
may render your data unauditable and the préparation of financial statements 
and disclosures impossible. Your certified public accountant may refuse to 
undertake an engagement under such circumstances. 

Many people believe that a robust accounting and procedures manual is a 
minimum threshold for documenting control activities. To the extent practical, 
the manual should also address control environment issues, monitoring (e.g., 
what and by whom), and reports that are to be generated (and when and to 
whom). Some accounting manuals include these topics: 

• Procedures and Controls over the main revenues and expenses (includ- 
ing payroll) of the entity 

• Measures to protect the personal data of employées 

• The bank and investment accounts, and authorized persons to sign 
checks or direct investments in those accounts 

• Measures to safeguard entity assets 

• Insurance information 

• Bonding information regarding accounting or cash-handling employées 

• IT policies and procedures 

• Templates for reports to be generated periodically 

• Financial statement and disclosure examples 

• Statements of ethical values or codes of conduct and antifraud pro- 
grams and Controls 

• Harassment and whistleblower policies and procedures 

When Controls are documented in accordance with the COSO Framework 
format discussed in this book, the amount of independent auditor time nec- 
essary to obtain and understand of internai Controls is reduced, resulting in 
audit savings for the entity. 

Not-for-profit entities are facing increasing scrutiny from the Internai Rev- 
enue Service for keeping adéquate books and records to support their tax 
status and their reported Form 990. States such as California hâve enacted 
statutes, such as the Nonprofit Integrity Act of 2004, which call for audits 
and public disclosure of the financial statements and other requirements for 
not-for-profits with over $2 million in gross revenues. There is increasing 
pressure at various levels for more accountability in these organizations, and 
numerous fédéral, State, and local committees are discussing the imposition of 
SOX-like législation to raise the organizations’ accountability to the public. 
Be mindful of any such législation that relates to your entity. 


154 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


Government entities should also note that in the development of the AICPA 
Attestation Standard for reporting on internai Controls, task force participants 
expressed the intention of imposing internai control reporting requirements 
on govemment entities at some point in time, perhaps starting with reports on 
the design of Controls and ultimately resulting in reporting on both the design 
and operating effectiveness of Controls. Smaller banks hâve been reporting 
on their internai Controls for some years and continue to do so under the 
revised auditing guidance in the AICPA’ s Attestation Standard AT 501. 

Inadéquate Evidence of Controls Performance 

A source of misunderstanding and potential friction arises when the indepen- 
dent auditor is unable to see any evidence that the control operated or the 
monitoring occurred. COSO conceptually accepts the premise that Controls 
could operate but not inherently leave evidence of their operation. Auditors 
unfortunately are uncomfortable with this concept, as there is no evidence 
they can rely on that the control procedure or oversight was performed. In 
such cases auditors may need to make additional observations of the control 
being performed, reperform more examples of the control operation, and per- 
forai extended inquiries to be satisfied the control exists and is in use. That 
costs auditors time, which costs you money. 

In many cases, a simple method can be devised to indicate the performance 
of a task, but people often resist such measures. Initialing and dating a bank 
réconciliation (or use of a stamp to do so) can be evidence of its performance 
by the authorized person and can also be used to prove its review by a 
member of management as a part of the monitoring process. Altematively, 
lists of tasks, such as some of the scheduled monitoring fonctions, can be 
documented quickly and easily that the task was performed and by whom 
and when. While auditors generally will test that the list or form is accurate, 
it is simpler and cheaper to audit this form to establish its reliability than to 
establish that the individual Controls are in place by other means. 

EXAMPLES OF EVALUATING THE SEVERITY OF DEFICIENCES 
Manual Control Deficiencies 

During your monitoring of Controls over sales, suppose you note a num- 
ber of instances where crédit sales were accepted from customers who were 
not preapproved, as they were supposed to be in accordance with the doc- 
umented Controls. Your further inquiry does not reveal a reason for these 


EXAMPLES OF EVALUATING THE SEVERITY OF DEFICIENCES 


155 


exceptions. Since the preapproval of customers is considered to be an impor- 
tant control for your organization to prevent losses, the incidence of the 
findings is a concem. Whether sampling Controls or monitoring, when the 
incidence of unexpected exceptions exceeds expectations, the likelihood cri- 
teria (Exhibit 7A.1) are generally met. Next the review tums to the magnitude 
of the potential misstatement. 7 

Following the general structure of Exhibit 7A.2, the gross crédit sales annu- 
ally “exposed” is $1,000,000 and financial statement materiality is assessed 
to be $10,000. A second review of ail transactions over $2,000 is tested and 
seems to be working, and this is considered to be a compensating control 
that limits the risk of a material misstatement being caused by this control 
deficiency. Further, sales monitoring at an even higher level might prevent a 
single material transaction from escaping scrutiny. 

Based on this information, plus considering any qualitative factors and 
stepping back to consider how a reasonable person (e.g., prudent official) 
might view the deficiency, management concludes that the compensating 
control limits the risk that failure of the lower-level control will lead to a 
material misstatement. However, management is unable to conclude that the 
Controls are working well enough to limit the misstatements to an inconse- 
quential level. 8 Thus, this control is considered a significant deficiency based 
on the fact that the deficiency could lead to misstatement of more than an 
inconsequential amount. 

If total crédit sales were less than material to the overall operations, this 
deficiency might be assessed at just a deficiency, since there would be a low 
risk that the control deficiency could lead to a material misstatement. 

Automated Control Deficiencies 

Deficiencies in automated Controls that are considered key in achieving a con- 
trol objective are generally found to be deficiencies in design, as automated 
(computerized) Controls should operate consistently. However, automated 
Controls can be programmed to process transactions from different sources 
differently, so exceptions need to be investigated to détermine the reasons 
and the conditions under which the control will not perform as desired. 

If the control failure is due to a design deficiency, the magnitude of the 
possible deficiency needs to be considered. If the control is important to 


7. When the likelihood of misstatement is assessed as negligible, then the assessment process can 
assign an exception level to any déviation instances. 

8. An inconsequential “threshold” of 20% of materiality has been observed in practice in connection 
with deficiencies identified on public company audits. 


156 ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 

achieving a control objective or attribute, the initial assessment is likely to 
resuit in a material weakness assessment, and any compensating or comple- 
mentary or monitoring Controls that might serve to limit the deficiency would 
be considered. 

A benefit of an automated control (e.g., sales order prices are checked 
against an approved sales price database listing) is that it often needs to be 
tested only once or a few times when IT general Controls are effective, as an 
automated control should perform consistently. 

Some Controls are actually combinations of automated and manual proce- 
dures. For example, an automated control may select payments that do not 
exactly match approved invoices for a manual réconciliation. In such cases, 
both Controls need to operate in order for the control to be effective. The 
automated portion of the control might need to be tested only one or a few 
times, since automated Controls generally operate consistently in an effective 
IT general Controls environment. However, to reach the same conclusion on 
the manual control, more instances are generally examined since the manual 
process can lead to instances where the control does not function effectively 
due to inconsistency in human processes. In most cases the combination 
control is assessed as a unit, as both phases need to be effective. 

If the manual portion of the control fails often enough to meet the likeli- 
hood test, then the magnitude of the potential deficiency needs to be exam- 
ined. Suppose management wanted to use an upper limit methodology to 
assess magnitude. If one unplanned-for manual procedure déviation was 
found in 45 control instances examined, then the observed déviation rate 
was 2.2%. Using statistical sampling tables or computer programs at a 90% 
level of confidence, the upper limit on the error rate can be determined to be 
approximately 8.4%. If 8.4% of the population of $1,000,000 were misstated, 
the limit on the amount would be $84,000. This method of quantifying the 
deficiency amount helps to relate the test findings to the materiality criteria, 
but rests on assumptions about the relationship between the incidence of con- 
trol failures and the dollar amounts. People who are assessing the severity 
of deficiencies can use either the upper limit approach or the approach that 
considers compensating and monitoring Controls; both methods should not be 
applied to the same déviation since they are both approaches to quantifying 
the possible magnitude, but they do not work together in reducing the true 
magnitude. 9 


9. Using both together results in a double-counting effect and will likely understate the magnitude 


EXAMPLES OF EVALUATING THE SEVERITY OF DEFICIENCES 


157 


IT General Control Deficiencies 

In general, IT general control deficiencies do not cause misstatements, but lax 
ITGC Controls may permit misstatements to occur in the underlying applica- 
tions or data. 

A failure to implement passwords to limit access to programs or data at 
the network or accounting software level is generally assessed as a material 
weakness. If anyone can access the software and initiate transactions, such as 
to schedule payments or change data files, perhaps to divert funds, then the 
entity is highly exposed to fraud risk. A unique aspect of this deficiency is 
the ability of talented fraudsters to cover their tracks after making changes to 
the accounts or data. In many smaller entities where passwords are used, they 
are taped to drawers or put on monitors. The appearance of any protection 
whatsoever is misleading. The blessing here is that such poor practices can 
be easily remediated. 

While smaller entities should change passwords periodically and use appro- 
priate firewall protection for network connections to the Internet, it is not 
anticipated that one size fits ail regarding security. Some cost-benefit con- 
sidération will enter into the équation of whether the designed protection is 
adéquate for the assessed risk. 

Failure to restrict access to programs and data can expose a company to 
unauthorized, fraudulent activity. Deliberate management manipulations of 
files and programs in the case of the SECv. Livent (see www.sec.gov) show 
the importance of security and access Controls and the risk associated with 
this element of IT general Controls. 

In the Livent case, the lack of auditor attention to Controls (including IT) 
opened the door to a management record-keeping fraud involving misdirect- 
ing the costs of projects to underbudget or incomplète projects in order to hide 
impending losses in other projects. The complexity of the scheme required 
the fraudsters to keep track of the true State of affairs so that payments would 
still be made on time. Unrestricted access to the accounting System was nec- 
essary to create the doctored records from the real records. Programs were 
written to keep track of the true and bogus records. Cost transfers are also 
a fertile technique for making inappropriate charges to certain govemment 
contracts to maximize the overall entity returns on such projects. 

Many smaller and less complex entities use packaged software that hâve 
few user options to customize processing logic. In such cases, the absence of 
a change control process may not be relevant, since the underlying software 
may not allow user-requested changes. Also, in the absence of implementing 
new software, the IT general Controls relating to new System development 


158 


ASSESSING DESIGN EFFECTIVENESS AND OPERATING EFFECTIVENESS 


and implémentation are probably not relevant to many businesses, and defi- 
ciencies in the procedures would not resuit in a significant or material ITGC 
deficiency finding. 

Failure to perform timely backups or failure to monitor and evaluate Sys- 
tems issues, while often easy to fix, could be serious issues and should be 
assessed as to their severity and reported to management. 

Failures in the ITGC Controls may preclude auditors from relying on auto- 
mated Controls as an audit strategy and may raise the costs of audits because 
of the need to perform extensive substantive detail procedures. 

As mentioned, entities reporting on internai Controls “as of ’ a date may not 
assess some ITGC deficiencies as significant deficiencies or material weak- 
nesses if the underlying application Controls can be shown to be effective at 
the “as of’ date. Exhibit 7A.3 reflects this thinking as it was prepared to be 
used in conjunction with public company reporting on internai Controls using 
the “as of ’ assumption. 


Aggregating Deficiencies 

If an entity identifies numerous significant deficiencies in Controls over rev- 
enue and these deficiencies effect primarily the existence assertion, considér- 
ation should be given as to whether, in combination, the control deficiencies 
constitute a material weakness since they are concentrated in the revenue 
account and the existence assertion. 

If the same number of significant deficiencies were spread out to the 
accounts, assertions, and COSO components, in the aggregate they might 
not be considered a material weakness. 

Some public company engagements to report on Controls under SOX iden- 
tified literally hundreds of deficiencies spread across the entity locations, 
accounts, and COSO components. Across an entity, so many deficiencies 
and significant deficiencies might be identified, even if they are somewhat 
disbursed among the accounts and assertions and COSO components, that a 
reasonable person would conclude that a material weakness in Controls exists 
in the entity. 10 


OVERALL ASSESSMENT 

A conclusion that internai Controls are ineffective will arise when a mate- 
rial weakness exists in any COSO component, or when an aggregation of 


10. Some auditors in practice 


refer to this condition 


“camival.” 


OVERALL ASSESSMENT 


159 


deficiencies leads to such a conclusion, or when considering ail the deficien- 
cies would lead to a conclusion that, on an overall basis, a material weakness 
exists. Aggregation of deficiencies in a COSO component, account, or process 
or in an assertion would preclude you or your auditor from concluding that 
internai Controls were effective. You should examine any identified deficien- 
cies from different perspectives before concluding that Controls are effective. 
Suppose that a particular location was poorly controlled as a unit. Then ail 
the transaction processing at that unit could be exposed to those poor Con- 
trols, and the aggregate “exposure” to the entity could be more significant 
than the relative asset or income base might indicate. 

Like some professional examinations, you need to get passing grades on ail 
parts of the COSO examination in order to pass. No piecemeal or except-for 
opinions are directed to the partial effectiveness of internai Controls. This fact 
reinforces the overarching concept of the integrated nature of Controls. The 
weakest link defines the strength of the chain. 

Additional examples of deficiency assessments from the auditor perspec- 
tive are illustrated in the AICPA audit guide, Assessing and Responding to 
Audit Risk in a Financial Statement Audit and in AICPA audit risk alert, 
Understanding SAS No. 112 and Evaluating Control Deficiencies , n 


11. Both publications are by the AICPA, New York, NY 2006. 


Appendix 7 A 

A Framework for Evaluating 
Control Exceptions and 
Deficiencies 


VERSION 3 DECEMBER 20, 2004 


Introduction and Purpose 160 

Cuiding Principles 162 

Chart 1 Evaluating Exceptions Found in the Testing of Operating 

Effectiveness 1 63 

Chart 2 Evaluating Process/Transaction-Level Control Deficiencies 165 
Chart 3 Evaluating Information Technology General Control (ITGC) 

Deficiencies 1 69 

Chart4 Evaluating Control Deficiencies in Pervasive Controls Other 

than ITGC 1 72 

Terminology 176 


INTRODUCTION AND PURPOSE 

This paper outlines a suggested framework for evaluating exceptions and 
deficiencies resulting from the évaluation of a company’ s internai control 
over financial reporting. Issuers and auditors may find this framework useful. 

This paper should be read in conjunction with Auditing Standard No. 2, An 
Audit of Internai Control Over Financial Reporting Performed in Conjunction 
With an Audit of Financial Statements (AS 2), especially the définitions in 
paragraphs 8 through 10, the section on evaluating deficiencies in paragraphs 
130 through 141, the examples of significant deficiencies and material weak- 
nesses in Appendix D, and the Background and Basis for Conclusions in 


160 


INTRODUCTION AND PURPOSE 


161 


Appendix E. The framework is not a substitute for AS 2 and other relevant 
professional literature. 

The framework was developed by représentatives of the following nine 
firms: 

BDO Seidman LLP 

Crowe Chizek and Company LLC 

Deloitte & Touche LLP 

Ernst & Young LLP 

Grant Thornton LLP 

Harbinger PLC 

KPMG LLP 

McGladrey & Pullen LLP 
PricewaterhouseCoopers LLP 

In addition, William L. Messier, Jr., Professor, Georgia State University, 
also contributed to the development of the framework. 

This framework reflects their views on a framework consistent with their 
understanding of AS 2. 

The framework represents a thought process that will require significant 
judgment. The objective of the framework is to assist knowledgeable and 
experienced individuals in evaluating deficiencies in a consistent manner. 
The mere mechanical application of this framework will not, in and of 
itself, necessarily lead to an appropriate conclusion. Because of the need to 
apply judgment and to consider and weigh quantitative and qualitative fac- 
tors, different individuals evaluating similar fact patterns may reach different 
conclusions. 

The framework recognizes the requirement in AS 2 to consider likelihood 
and magnitude in evaluating deficiencies. It also recognizes that AS 2.136 
States: 

In evaluating the magnitude of the potential misstatement, the auditor should 
recognize that the maximum amount that an account balance or total of transac- 
tions can be overstated is generally the recorded amount. However, the recorded 
amount is not a limitation on the amount of potential understatement. The audi- 
tor also should recognize that the risk of misstatement might be different for the 
maximum possible misstatement than for lesser possible amounts. 

The framework applies these concepts through the évaluation of a combi- 
nation of magnitude and likelihood. Because of the wide variety of control 
types, population characteristics, and test exception implications, the group 
did not undertake to develop a purely quantitative model. Instead, the frame- 
work considers quantitative and qualitative factors. 


1 62 A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 

This paper does not address the détermination of materiality. Reference, 
in that regard, should be made to AS 2.23, which States: 

The same conceptual définition of materiality that applies to financial reporting 
applies to information on internai control over financial reporting, including the 
relevance of both quantitative and qualitative considérations.* 

■ The quantitative considérations are essentially the same as in an audit 
of financial statements and relate to whether misstatements that would 
not be prevented or detected hy internai control over financial reporting, 
individually or collectively, hâve a quantitatively material effect on the 
financial statements. 

■ The qualitative considérations apply to evaluating materiality with respect 
to the financial statements and to additional factors that relate to the per- 
ceived needs of reasonahle persons who will rely on the information. AS 
2.6 describes some qualitative considérations. 

* AU sec. 312, Audit Risk and Materiality in Conducting an Audit, provides 
additional explanation of materiality. 


GUIDING PRINCIPLES 

The principles set forth below correspond to the box numbers on the appro- 
priate charts included in this paper. 

The évaluation of individual exceptions and deficiencies is an itérative 
process. Although this paper depicts the évaluation process as a linear pro- 
gression, it may be appropriate at any point in the process to retum to and 
reconsider any previous step based on new information. 

In applying the framework, the following should be considered in deter- 
mining which chart(s) to use for evaluating individual exceptions and defi- 
ciencies: 

• Chart 1 is used to evaluate and détermine whether an exception noted 
in performing tests of operating effectiveness represents a control defi- 
ciency. 

• Chart 2 is used to evaluate and classify control deficiencies in manual 
or automated Controls that are directly related to achieving relevant 
financial statement assertions. 

• Chart 3 is used to evaluate and classify deficiencies in ITGCs that are 
intended to support the continued effective operation of Controls related 
to one or more relevant financial statement assertions. If an application 
control deficiency is related to or caused by an ITGC deficiency, the 
application control deficiency is evaluated using Chart 2 and the ITGC 
deficiency is evaluated using Chart 3. 


GUIDIMG PRINCIPLES 


163 


• Chart 4 is used to evaluate and classify control deficiencies in pervasive 
Controls other than ITGC. Such control deficiencies generally do not 
directly resuit in a misstatement. However, they may contribute to the 
likelihood of a misstatement at the process level. 

After evaluating and classifying individual deficiencies, considération 
should be given to the aggregation of the deficiencies using the guiding 
principles outlined in “Consider and Evaluate Deficiencies in the Aggregate” 
below. 

Evaluating Exceptions Found in the Testing of Operating 
Effectiveness (Chart 1 ) 


General 

The testing of Controls generally relates to significant processes and major 
classes of transactions for relevant financial statement assertions related to 
significant accounts and disclosures. Therefore, the underlying assumption 
is that ail exceptions/deficiencies resulting from the testing must be evalu- 
ated because they relate to accounts and disclosures that are material to the 
financial statements taken as a whole. 

The purpose of tests of Controls is to achieve a high level of assurance 
that the Controls are operating effectively. Therefore, the sample sizes used to 
test Controls should provide that level of comfort. In cases in which samples 
are selected using a statistically based approach, sample sizes for frequently 
operating manual Controls that resuit in less than a 90% level of confidence 
that the upper limit déviation rate does not exceed 10% typically would not 
provide a high level of assurance. (Refer to the AICPA Audit and Accounting 
Guide, Audit Sampling). 

The magnitude of a control deficiency (i.e., deficiency, significant defi- 
ciency, or material weakness) is evaluated based on the impact of known 
and/or potential misstatements on annual and intérim financial statements. 

While some of the concepts discussed in this paper relate to statistical 
sampling, the framework does not require the use of statistical sampling. A 
statistical sample is (1) selected on a random or other basis that is repré- 
sentative of the population and (2) evaluated statistically. In tests of internai 
Controls, it may be impractical to select samples randomly, but they should 
be selected in an unbiased manner. 

Box 1. Ail exceptions should be evaluated quantitatively and qualitatively. 
A thorough understanding of the cause of the exception is important in evalu- 
ating whether a test exception represents a control deficiency. This évaluation 


164 


A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 



Individual boxes should be read in conjunction with the corresponding guiding principles. 


Exhibit 7A.t Chart 1 — Evaluating Exceptions Found in the Testingof Operating 
Effectiveness 

should consider the potential implications with regard to the effectiveness of 
other Controls, e.g., the company’ s ITGCs and other COSO components. 

In concluding whether the test objective was met, considérations include: 

• The déviation rate in relation to the frequency of performance of the 
control (e.g., absent extending the test, there is a presumption that 
an exception in a control that opérâtes less frequently than daily is a 
control deficiency). 

• Qualitative factors, including exceptions that are determined to be sys- 
tematic and recurring or that relate to the factors outlined in AS 2.133, 
139, and 140. 

• Whether the exception is known to hâve resulted in a financial state- 
ment misstatement (e.g., there is a presumption that an exception that 
results in a financial statement misstatement in excess of the level 
of précision at which the control is designed to operate, is a control 
deficiency). 

A control objective may be achieved by a single control or a combination 
of Controls. A test of Controls may be designed to test a single control that 
alone achieves the control objective or a number of individual Controls that 
together achieve the control objective. 

Box 2. If the test objective is not met, considération should be given to 
whether additional testing could support a conclusion that the déviation rate is 
not représentative of the total population. For example, if observed exceptions 


GUIDIMG PRINCIPLES 


165 


resuit in a non-negligible déviation rate, then the test objective initially is not 
met. In a test designed to allow for finding one or more déviations, the test 
objective is not met if the actual number of déviations found exceeds the 
number of déviations allowed for in the plan. 

Box 3. If the test objective initially is not met, then there are two options: 

• If the observed exceptions and resulting non-negligible déviation rate 
are not believed to be représentative of the population (e.g., because 
of sampling error), the test may be extended and re-evaluated. 

• If the observed exceptions and resulting non-negligible déviation rate 
are believed to be représentative of the population, the exceptions are 
considered to be a control deficiency and its significance is assessed. 

Evaluating Process/Transaction-Level Control Deficiencies 
(Chart 2) 

Step 1. Détermine whether a significant deficiency exists: 

Box 1. When evaluating deficiencies, potential magnitude (inconsequential, 
more than inconsequential, or material) is based on the potential effect on 
both annual and intérim financial statements. The potential magnitude of 
a misstatement of annual or intérim financial statements of not more than 
inconsequential results in the déficient control being classified as only a defi- 
ciency, absent any qualitative factors, including those in AS 2.9, 137, 139, and 
140. Potential magnitude of misstatement may be based on gross exposure, 
adjusted exposure, or other appropriate methods that consider the likelihood 
of misstatement. 

Boxes 2 & 3. If there are Controls that effectively mitigate a control defi- 
ciency, it is classified as only a deficiency, absent any qualitative factors, 
including those in AS 2.9, 137, 139, and 140. Such Controls include: 

• Complementary or redundant Controls that achieve the same control 
objective 

• Compensating Controls that operate at a level of précision that would 
resuit in the prévention or détection of a more than inconsequential 
misstatement of annual or intérim financial statements 

Boxes 1, 2, and 3 should be considered separately. Adjusted exposure 
should not be reduced by the quantitative impact of the compensating and 
complementary or redundant Controls. 

Box 3. An unmitigated déficient control that results in a control objective 
not being met related to a significant account or disclosure generally results in 


166 


A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 


Step 1: Détermine whether a significant deficiency exists. 



Individual boxes should 1 


i with the corresponding guiding principles. 


Exhibit 7A.2 Chart 2 — Evaluatinc Process/Transaction-Level Control Defiœncies 


GUIDIMG PRINCIPLES 


167 


a more than remote likelihood of a more than inconsequential misstatement of 
annual or intérim financial statements and, therefore, is at least a significant 
deficiency. 

Step 2. Détermine whether a material weakness exists 

Box 4. The potential magnitude of a misstatement of annual or intérim 
financial statements that is less than material results in the déficient con- 
trol being classified as only a significant deficiency, absent any qualitative 
factors, including those in AS 2.9, 137, 139, and 140. Potential magnitude 
may be based on gross exposure, adjusted exposure, or other appropriate 
methods that consider the likelihood of misstatement. 

Box 5. Compensating Controls that operate at a level of précision that 
would resuit in the prévention or détection of a material misstatement of 
annual or intérim financial statements may support a conclusion that the 
deficiency is not a material weakness. 

Box 6. In evaluating likelihood and magnitude, related factors include but 
are not limited to the following: 

• The nature of the financial statement accounts, disclosures, and asser- 
tions involved; for example, suspense accounts and related party trans- 
actions involve greater risk. 

• The susceptibility of the related assets or liability to loss or fraud; that 
is, greater susceptibility increases risk. 

• The subjectivity, complexity, or extent of judgment required to déter- 
mine the amount involved; that is, greater subjectivity, complexity, 
or judgment, like that related to an accounting estimate, increases 
risk. 

• The cause and frequency of known or detected exceptions in the oper- 
ating effectiveness of a control; for example, a control with an observed 
non-negligible déviation rate is a deficiency. 

• The interaction or relationship with other Controls; that is, the interde- 
pendence or redundancy of Controls. 

• The possible future conséquences of the deficiency. 

• An indication of increased risk evidenced by a history of misstate- 
ments, including misstatements identified in the current year (AS 
2.140). 

• The adjusted exposure in relation to overall materiality. This frame- 
work recognizes that in evaluating deficiencies, the risk of misstate- 
ment might be different for the maximum possible misstatement than 
for lesser possible amounts. 


1 68 A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 

As a resuit of this additional évaluation, détermine whether the likelihood 
of a material misstatement to both the annual and intérim financial state- 
ments is remote. In extremely rare circumstances, this additional évaluation 
could resuit in a judgment that the likelihood of a more than inconsequential 
misstatement to both the annual and intérim financial statements is remote. 

Boxes 7 & 8. When determining the classification of a dehciency, consider 
AS 2.137, which States: 

When evaluating the significance of a dehciency in internai control over financial 
reporting, the auditor also should détermine the level of detail and degree of 
assurance that would satisfy prudent officiais in the conduct of their own affaire 
that they hâve reasonable assurance that transactions are recorded as necessary 
to permit the préparation of financial statements in conformity with generally 
accepted accounting principles. If the auditor détermines that the dehciency would 
prevent prudent officiais in the conduct of their own affaire from concluding that 
they hâve reasonable assurance, 1 then the auditor should deem the dehciency 
to be at least a signihcant dehciency. Having determined in this manner that a 
dehciency represents a signihcant dehciency, the auditor must further evaluate 
the dehciency to détermine whether individually, or in combination with other 
dehciencies, the dehciency is a material weakness. 

Note: AS 2.9 and. 10 provide the définitions of signihcant dehciency and 
material weakness, respectively. 

Additional considérations related to misstatements identified 

A greater than de minimis misstatement of annual or intérim financial state- 
ments identified by management or by the auditor during a test of Controls or 
during a substantive test is ordinarily indicative of a deficiency in the design 
and/or perating effectiveness of a control, which is evaluated as follows: 

• The design and/or operating deficiency(ies) that did not prevent 
or detect the misstatement should be identified and evaluated 
based on Chart 2 — Evaluating Process/Transaction-Level Control 
Deficiencies — applying the following: 

o A known or likely (including projected) misstatement that is incon- 
sequential to annual or intérim financial statements is at least a 
deficiency. 

o A known or likely (including projected) misstatement that is more 
than inconsequential to annual or intérim financial statements is a 
strong indicator of a signihcant deficiency. 


1 . See SEC Staff Accounting Bulletin Topic 1 M2, Iminaterial Misstatements That Are Intentional, 
for further discussion about the level of detail and degree of assurance that would satisfy prudent 
officiais in the conduct of their own affairs. 


GUIDIMG PRINCIPLES 


169 


o A known or likely (including projected) misstatement that is mate- 
rial to annual or intérim financial statements, as addressed in AS 
2.140, is at least a significant deficiency and a strong indicator of 
a material weakness. 

• The implications on the effectiveness of other Controls, particularly 
compensating Controls, also should be considered. 

Evaluating ITGC Deficiencies (Chart 3) 

General. Deficiencies in ITGCs are evaluated in relation to their effect on 
application Controls. 

• ITGC deficiencies do not directly resuit in misstatements. 

• Misstatements may resuit from ineffective application Controls. 

There are three situations in which an ITGC deficiency can rise to the 

level of a material weakness: 

• An application control deficiency related to or caused by an ITGC 
deficiency is classified as a material weakness 

• The pervasiveness and significance of an ITGC deficiency leads to a 
conclusion that there is a material weakness in the company’ s control 
environment 

• In accordance with AS 2.140, an ITGC deficiency classified as a sig- 
nificant deficiency remains uncorrected after some reasonable period 
of time 

In evaluating the effect of an ITGC deficiency on the continued effective 
operation of application Controls, it is not necessary to contemplate the likeli- 
hood that an effective application control could in a subséquent year become 
ineffective because of the déficient ITGC. 

Relationship between ITGCs and application Controls. An understand- 
ing of the relationship among applications relevant to internai control over 
financial reporting, the related application Controls, and ITGCs is necessary 
to appropriately evaluate ITGC deficiencies. ITGCs may affect the continued 
effective operation of application Controls. For example, an effective security 
administration function supports the continued effective functioning of appli- 
cation Controls that restrict access. As another example, effective program 
change Controls support the continued effective operation of programmed 
application Controls, such as a three-way match. ITGCs also may serve as 
Controls at the application level. For example, ITGCs may directly achieve 
the control objective of restricting access and thereby prevent initiation of 
unauthorized transactions. 


1 70 A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 

Similarly, ITGC deficiencies may adversely affect the continued effective 
functioning of application Controls; in the absence of application Controls, 
ITGC deficiencies also may represent control deficiencies for one or more 
relevant assertions. 

Evaluating ITGC deficiencies. Ail ITGC deficiencies are evaluated using 
Chart 3. Additionally, if an ITGC deficiency also represents a deficiency at 
the application level because it directly relates to an assertion, the ITGC 
deficiency also is evaluated using Chart 2. In ail cases, an ITGC deficiency 
is considered in combination with application Controls to détermine whether 
the combined effect of the ITGC deficiency and any application control defi- 
ciencies is a deficiency, significant deficiency, or material weakness. 

Box 1. Controls that effectively mitigate a control deficiency resuit in the 
deficiency being classified as only a deficiency, absent any qualitative factors, 



Deficiencies 


GUIDIMG PRINCIPLES 


171 


including those described in AS 2.9, 137, 139, and 140. Such Controls include 
complementary or redundant Controls that achieve the same control objective. 
An ITGC deficiency identified as a resuit of an application control deficiency 
indicates that other ITGCs could not hâve achieved the same control objective 
as the déficient ITGC. 

Box 2. If no deficiencies are identified at the application level (as evaluated 
in Chart 2), the ITGC deficiency could be classified as only a deficiency. 
(Refer to Box 5.) 

Boxes 3 & 4. If there is a control deficiency at the application level 
related to or caused by an ITGC deficiency, the ITGC deficiency is evalu- 
ated in combination with the deficiency in the underlying application control 
and generally is classified consistent with the application control deficiency, 
that is: 

• A material weakness in an application control related to or caused 
by an ITGC deficiency indicates that the ITGC deficiency also is a 
material weakness. 

• A significant deficiency in an application control related to or caused 
by an ITGC deficiency indicates that the ITGC deficiency also is a 
significant deficiency. 

• An application control deficiency (that is only a deficiency) related to 
or caused by an ITGC deficiency generally indicates that the ITGC 
deficiency is only a deficiency. 

Box 5. Notwithstanding the guiding principles relating to Boxes 1 through 
4, the classification of an ITGC deficiency(ies) should consider factors includ- 
ing but not limited to the following: 

• The nature and significance of the deficiency, e.g., does the deficiency 
relate to a single area in the program development process or is the 
entire process déficient? 

• The pervasiveness of the deficiency to applications and data, including: 
o The extent to which Controls related to significant accounts and 

underlying business processes are affected by the ITGC deficiency 
o The number of application Controls that are related to the ITGC 
deficiency 

o The number of control deficiencies at the application level that are 
related to or caused by the ITGC deficiency 

• The complexity of the company’ s Systems environment and the like- 
lihood that the deficiency could adversely affect application Controls 

• The relative proximity of the control to applications and data 


A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 


172 


• Whether an ITGC deficiency relates to applications or data for accounts 
or disclosures that are susceptible to loss or fraud 

• The cause and frequency of known or detected exceptions in the oper- 
ating effectiveness of an ITGC; for example, (1) a control with an 
observed non-negligible déviation rate, (2) an observed exception that 
is inconsistent with the expected effective operation of the ITGC, or 
(3) a deliberate failure to apply a control. 

• An indication of increased risk evidenced by a history of misstatements 
relating to applications affected by the ITGC deficiency, including 
misstatements in the current year 

When determining the classification of a deficiency, consider AS 2.137, 
which States: 

When evaluating the significance of a deficiency in internai control over financial 
reporting, the auditor also should détermine the level of detail and degree of 
assurance that would satisfy prudent officiais in the conduct of their own affaire 
that they hâve reasonable assurance that transactions are recorded as necessary 
to permit the préparation of financial statements in conformity with generally 
accepted accounting principles. If the auditor détermines that the deficiency would 
prevent prudent officiais in the conduct of their own affaire from concluding that 
they hâve reasonahle assurance, 2 then the auditor should deem the deficiency 
to be at least a significant deficiency. Having determined in this manner that a 
deficiency represents a significant deficiency, the auditor must further evaluate 
the deficiency to détermine whether individually, or in combination with other 
deficiencies, the deficiency is a material weakness. 

Note: AS 2.9 and. 10 provide the définitions of significant deficiency and 
material weakness, respectively. 

Additional considération 

ITGCs support the proper and consistent operation of automated application 
Controls. Therefore, considération should be given to the nature, timing, and 
extent of the testing of related application Controls affected by, or manual 
Controls dépendent on, the déficient ITGC. 

Evaluating Control Deficiencies in Pervasive Controls Other than 
ITGC (Chart 4) 

General. Deficiencies in pervasive Controls generally do not directly resuit 
in a misstatement. However, they may contribute to the likelihood of a 


2. See SEC Staff Accounting Bulletin Topic 1 M2, Iminaterial Misstatements That Are Intentional, 
for further discussion about the level of detail and degree of assurance that would satisfy prudent 
officiais in the conduct of their own affairs. 


GUIDIMG PRINCIPLES 


173 



Exhibit 7A.4 Chart 4 — Evaluating Control Deficiencies in Pervasive Controls Other 
Than ITCC 


misstatement at the process level. Accordingly, évaluation of a deficiency 
in a pervasive control other than ITGC is based on the likelihood that such 
deficiency would contribute to circumstances that could resuit in a misstate- 
ment. Quantitative methods generally are not conducive to evaluating such 
deficiencies. 

Step 1. Détermine whether a significant deficiency exists 

Boxes 1 & 2. A deficiency of the type described in AS 2.139 ordinarily results 
in deficiencies being at least a significant deficiency. The circumstances in 


1 74 A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 

which an évaluation would lead to the deficiency not being classified as a 
significant deficiency are rare. The circumstances identified in AS. 140 should 
be regarded as at least a significant deficiency and as a strong indicator of a 
material weakness. 

Box 3. Certain Controls could resuit in a judgment that the déficient control 
is limited to a deficiency and classified as only a deficiency, considering 
qualitative factors, including those in AS 2.9, 137, 139 and 140. Such Controls 
include: 

• Complementary or redundant programs or Controls 

• Compensating Controls within the same or another component 

Box 4. A deficiency with a more than remote likelihood that the deficiency 
would contribute to a more than inconsequential misstatement is a significant 
deficiency. Such judgment considers an évaluation of factors such as: 

• The pervasiveness of the deficiency across the entity 

• The relative significance of the déficient control to the component 

• An indication of increased risks of error (evidenced by a history of 
misstatement) 

• An increased susceptibility to fraud (including the risk of management 
override) 

• The cause and frequency of known or detected exceptions for the 
operating effectiveness of a control 

• The possible future conséquences of the deficiency 

Step 2. Détermine whether a material weakness exists 

Box 5. The évaluation of certain Controls could resuit in a judgment that 
the déficient control is limited to a significant deficiency and classified as 
such, considering qualitative factors, including those in AS 2.9, 137, 139 and 
140. Such Controls include compensating Controls within the same or another 
component. 

Box 6. A deficiency with a more than remote likelihood that the deficiency 
would contribute to a material misstatement is a material weakness. Such 
judgment considers an évaluation of factors such as: 

• The pervasiveness of the deficiency across the entity 

• The relative significance of the déficient control to the component 

• An indication of increased risks of error (evidenced by a history of 
misstatement) 

• An increased susceptibility to fraud (including the risk of management 
override) 


GUIDIMG PRINCIPLES 


175 


• The cause and frequency of known or detected exceptions for the 
operating effectiveness of a control 

• The possible future conséquences of the deficiency 

A deficiency of the type described in AS 2.140 is generally a material 
weakness; in limited circumstances, it may be appropriate to conclude the 
deficiency is only a significant deficiency (refer to AS.2 Appendix E99). 

Boxes 7 & 8. When determining the classification of a deficiency, consider 
AS 2.137,which States: 

When evaluating the significance of a deficiency in internai control over financial 
reporting, the auditor also should détermine the level of detail and degree of 
assurance that would satisfy prudent officiais in the conduct of their own affaire 
that they hâve reasonable assurance that transactions are recorded as necessary 
to permit the préparation of financial statements in conformity with generally 
accepted accounting principles. If the auditor détermines that the deficiency would 
prevent prudent officiais in the conduct of their own affaire from concluding that 
they hâve reasonable assurance, 3 then the auditor should deem the deficiency 
to be at least a significant deficiency. Having determined in this manner that a 
deficiency represents a significant deficiency, the auditor must further evaluate 
the deficiency to détermine whether individually, or in combination with other 
deficiencies, the deficiency is a material weakness. 

Note: AS2.9 and. 10 provide the définitions of significant deficiency and 
material weakness, respectively. 


Consider and Evaluate Deficiencies in the Aggregate 

Deficiencies are considered in the aggregate by significant account balance, 
disclosure and COSO component to détermine whether they collectively 
resuit in significant deficiencies or material weaknesses. Aggregation of con- 
trol activities deficiencies by significant account balance and disclosure is 
necessary since the existence of multiple control deficiencies related to a 
spécifie account balance or disclosure increases the likelihood of misstate- 
ment. Aggregation by the control environment, risk assessment, information 
and communication, and monitoring components of COSO is more difficult 
and judgmental. For example, unrelated control deficiencies relating to design 
ineffectiveness in other COSO components could lead to the conclusion that a 
significant deficiency or material weakness in the risk assessment component 
exists. Similarly, unrelated control deficiencies in other COSO components 


3. See SEC Staff Accounting Bulletin Topic 1 M2, Immaterial Misstatements That Are Intentional, 
for further discussion about the level of detail and degree of assurance that would satisfy prudent 
officiais in the conduct of their own affairs. 


1 76 A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 

could lead to a conclusion that a significant deficiency or material weakness 
in the control environment or monitoring component exists. 


TERMINOLOGY 

Adjusted exposure — gross exposure (see below) multiplied by the upper 
limit déviation rate. 

Application Controls — automated control procedures (e.g., calculations, 
posting to accounts, génération of reports, edits, control routines, etc.) or 
manual Controls that are dépendent on IT (e.g., the review by an inventory 
manager of an exception report when the exception report is generated by IT). 
When IT is used to initiate, authorize, record, process, or report transactions 
or other financial data for inclusion in financial statements, the Systems and 
programs may include Controls related to the corresponding assertions for sig- 
nificant accounts or disclosures or may be critical to the effective functioning 
of manual Controls that dépend on IT. 

Compensating Controls — Controls that operate at a level of précision that 
would resuit in the prévention or détection of a misstatement that was more 
than inconsequential or material, as applicable, to annual or intérim finan- 
cial statements. The level of précision should be established considering the 
possibility of further undetected misstatements. 

Complementary Controls — Controls that function together to achieve the 
same control objective. 

Control deficiency — a deficiency in the design or operation of a control 
that does not allow management or employées, in the normal course of per- 
forming their assigned functions, to prevent or detect misstatements on a 
timely basis. 

• A deficiency in design exists when (a) a control necessary to meet the 
control objective is missing or (b) an existing control is not properly 
designed so that, even if it opérâtes as designed, the control objective 
is not always met. 

• A deficiency in operation exists when a properly designed control does 
not operate as designed, or when the person performing the control 
does not possess the necessary authority or qualifications to perform 
the control effectively. 

Control objective — the objective(s) related to internai control over finan- 
cial reporting to achieve the assertions that underlie a company’ s financial 
statements. 


TERMINOLOGY 


177 


Gross exposure — a worst-case estimate of the magnitude of amounts or 
transactions exposed to the deficiency with regard to annual or intérim finan- 
cial statements, without regard to the upper limit déviation rate or likelihood 
of misstatement, and before considering complementary, redundant, or com- 
pensating Controls. Factors affecting gross exposure include: 

• The annual or intérim financial statement amounts or total transactions 
exposed to the deficiency. 

• The volume of activity in the account balance or class of transactions 
exposed to the deficiency that has occurred in the current annual or 
intérim period or that is expected in future periods. 

Inconsequential — 

• Potential misstatements equal to or greater than 20% of overall annual 
or intérim financial statement materiality are presumed to be more than 
inconsequential. 

• Potential misstatements less than 20% of overall annual or intérim 
financial statement materiality may be concluded to be more than 
inconsequential as a resuit of the considération of qualitative factors, 
as required by AS 2. 

Information technology general Controls (ITGCs) — policies and procedures 
that relate to many applications and support the effective functioning of 
application Controls by helping to ensure the continued proper operation of 
information Systems. This includes four basic IT areas that are relevant to 
internai control over financial reporting: 

• Program development 

• Program changes 

• Computer operations 

• Access to programs and data 

Material weakness — a significant deficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a material mis- 
statement of the annual or intérim financial statements will not be prevented 
or detected. 

Pervasive Controls other than ITGC — the general programs and Controls 
within the control environment, risk assessment, monitoring, and information 
and communication, including portions of the financial reporting process, that 
hâve a pervasive impact on Controls at the process, transaction, or application 
level. 

Potential misstatement — an estimate of the mi sstatement that could resuit 
from a deficiency with a more than remote likelihood of occurrence. 


1 78 A FRAMEWORK FOR EVALUATING CONTROL EXCEPTIONS AND DEFICIENCES 

Redundant Controls — Controls that achieve the same control objective. 

Remote likelihood — the chance of the future event or events occurring is 
slight. 

Significant deficiency — a control deficiency, or combination of control 
deficiencies, that adversely affects the company’ s ability to initiate, authorize, 
record, process, or report extemal financial data reliably in accordance with 
generally accepted accounting principles such that there is more than a remote 
likelihood that a misstatement of the company’ s annual or intérim financial 
statements that is more than inconsequential will not be prevented or detected. 

Test objective — the design of the test of a control activity to détermine 
whether the control is operating as designed, giving considération to: 

• The nature of the control and the définition of an exception 

• The frequency with which the control opérâtes 

• The desired level of assurance in combination with the reliability of 
the control, for example, whether the control is designed to achieve the 
control objective alone or in combination with other Controls 

• The number of exceptions expected 

Upper limit déviation rate — the statistically derived estimate of the dévi- 
ation rate based on the sample results, for which there is a remote likelihood 
that the true déviation rate in the population exceeds this rate (refer to AICPA 
Audit and Accounting Guide, Audit Sampling). 


8 

Fraud Risksand Entity Self-Defense 


FRAUD-PHOBIC? 

This chapter focuses on the risks of fraud in smaller entities and is a short 
primer on fraud for smaller businesses and not-for-profits. Much has been 
written about fraud in govemment, and news stories abound. In most cases, 
these are the same frauds perpetrated on commercial entities, but in a different 
venue. Some States and municipalities seem to specialize in these types of 
activities. 

I am concemed that many smaller businesses and entities are unaware 
of, or insensitive to, the risks they might face. Particularly vulnérable are 
well-meaning social organizations and trusting individuals in family busi- 
nesses. As President Ronald Reagan noted: “Trust, but verify.” Good advice. 

Let us take a moment to define fraud a little bit. It might be defined as 
déception employed for personal gain. It may or may not involve an illégal 
act, but generally some law or convention is broken in the process. The term 
is a technical and legal one, and should not be used loosely. Even auditors and 
certified fraud examiners (CFEs) are cautioned to be careful in the use of the 
term, as “intent’ plays a large part in defining fraud in business situations. 
I use the term in this chapter and throughout the book because its nature 
is readily recognizable. In the context of financial reporting, Statement of 
Accounting Standards (SAS) No. 55, Considération of Internai Control in a 
Financial Statement Audit , States: “fraud is an intentional act that results in a 
material misstatement in financial statements that are the subject of an audit.” 

Actually, speaking of defense, long ago in my martial arts training I was 
told something that stuck with me. A bow is a sign of respect. A deep bow 
is a sign of significant respect, but a bow where you show the back of the 


179 


180 


FRAUD RISKS AND ENTITY SELF-DEFENSE 


neck may be interpreted as an insult, as it shows that you do not think your 
counterpart will dare to strike at you. Some people may feel that a company 
that is careless with the risk of fraud lacks respect for their intelligence, and 
that may motivate them to move on an opportunity. Honest people should 
not be insulted when Controls are put in place. It may actually be a relief for 
them to not run the risk of being blamed if someone else gets their hand in 
the proverbial cookie jar. 

First, let’s categorize the risks into two main groups: the risks from those 
outside the organization and the risks from those within the organization. We 
are generally more mindful of the threats from outside the organization, as 
we know that “evil lurks in the hearts of (some) men.” We lock our doors, 
put loose cash in a bank, and so on. We are a bit more reluctant to think that 
the person we see every day and who greets us and bakes us cookies at the 
holidays might be a problem. Yet, everyday there are stories about the trusted 
long-term employée who has been stealing the employer blind for years. In 
some cases the business itself is threatened or closes, and the entrepreneur 
never suspects the real reason. Looking at the 2006 statistics, for employées 
with over 10 years with the employer, the médian reported fraud loss was 
$263,000; for employées with between 1 and 5 years’ tenure, the médian loss 
was around $100,000. 

Sometimes a risk can be présent, and either outside forces alone or inside 
and outside forces work together to create the problem. For example, certain 
third parties out there would rather hâve a piece of your pie than bake their 
own. The vulnerabilities dépend on your business, and may not be as apparent 
in today’s world as in the past. We always had to worry about loose cash 
or portable assets walking away. But today, customer lists, trade secrets, and 
other intellectual property intangibles can be downloaded to a thumb drive 
and transported from your premises. Donor lists and such can fetch a fair 
price in the mailing list trade. The more specialized and focused the list, the 
more valuable it can be. Suppose a third party wants such information. That 
party can provide an incentive to someone from within your organization 
to obtain the information, or the third party may target your electronic files 
directly, through your Internet connection. 

The intention here is not to be fraud-phobic, but to recognize that effec- 
tive internai Controls hâve multiple benefits: creating more accurate financial 
statements and reducing fraud risk. 

Unfortunately, in my career I hâve witnessed several heartbreaking frauds 
that were perpetrated by family members. These can be particularly tricky, 
as émotions and other factors interfère with getting quickly to the bottom 


WHAT DO I DO IF. .. ? 


181 


of things, which is essential in getting recoveries after a fraud. These cases 
generally resuit in financial ruin, as they go on for so long and hâve so many 
layers of issues involved. Recoveries in these cases are particularly poor, 
as the resources are rarely available to investigate and résolve the issues 
effectively. Across ail reported occupational fraud cases in 2006, 1 in 42% of 
the cases, there was no recovery at ail. 

SOME COLD, HARD STATISTICS 

It does not huit to recount some of the statistics from reported frauds that 
remind us what we are up against. Recognize, however, that many frauds, 
even discovered ones, are not reported due to embarrassment and other issues. 

In its 2006 Report to the Nation on Occupational Fraud and Abuse, the 
Association of Certified Fraud Examiners cited some sobering statistics. 

• The médian public company fraud was $200, 000. 2 

• The médian private company fraud was $210,000 (yes, higher). 

• The médian govemment and not-for profit frauds were around 

$ 100 , 000 . 

Even scarier was the statistic for companies with fewer than 100 employ- 
ées. That médian reported fraud was $190,000. In contrast, for firms with 
more than 10,000 employées, the médian was lower: $150,000. 

Owners and executives and other well-paid persons tended to make the 
most of the opportunities. For those paid $500,000 per year and over, the 
médian business loss from their shenanigans was $8,000,000. 

WHAT DO I DO IF... ? 

If you are a business owner are/or feel you might be the victim of fraud 
or some abuse, you might feel a gamut of émotions. Be aware that your 
next actions can be the very most important ones in determining the truth 
and whether you might see any recovery. A confrontational response will 
generally be met with the destruction of key evidence and records you will 
later need to analyze in order to obtain a recovery and résolve the issue. You 
might even put your person in danger, as if you had cornered a wild animal. 
You will need legal advice and probably law enforcement action, but the 
préservation of evidence is key, and unless part of a plan, a lights and siren 


1 . 2006 ACFE Survey , cited previously . 

2. Médian means that half the reported frauds 


above this number and half ' 




182 


FRAUD RISKS AND ENTITY SELF-DEFENSE 


squad car response may not be the best one. Coordinate your responses in 
conjunction with legal advice. Stay cool. 

Many entities today hâve a fraud hotline that will take anonymous tips 
and follow up appropriately, as befits the situation. If your entity has such a 
hotline, it should be advertised, so pay attention to human resource postings 
or other notices. Going to a top boss (unless you suspect him or her to be 
part the problem) might be another alternative, but, again, the situation is 
tricky, and you might want to consult legal advice if you are not comfortable 
in determining next steps. 

Recent years hâve seen an expansion of whistleblower protections to 
employées of govemmental and some not-for-proht entities that report fraud 
or abuse. Understand what protections might be available to you under the 
law and under company policies and how to ensure those protections are 
available to you. 


THE FRAUD TRIANGLE 

The general concept of the fraud triangle was introduced in earlier literature, 
but rehned in SAS No. 99, Considération of Fraud in a Financial Statement 
Audit (2002). The concept is that many frauds share common characteristics: 

• Motivation 

• Opportunity 

• Rationalization 

Motivation is easy to understand when money is involved, but there can be 
other motivations of equal or greater force in some situations. Some frauds 
can be motivated by a person’s need for power, ego, or revenge. If the money 
was not worth the crime, look for the other motivations, as they are probably 
the key. 

Opportunity is of course a major contributor to fraud. In an environment 
of well-designed Controls, adéquate management oversight, and employée 
ethical standards, the opportunities are greatly reduced. At least the simple, 
stupid schemes that will make you ashamed you did not detect them in the 
hrst place will not haunt you (and lead to 20 years of “You should hâves . . .” 
from your business partner or, worse, your spouse). Better to be defrauded 
with pride by a clever scheme than be shamed by ineptness. Make them work 
at it! 

A new wrinkle in the équation that was enumerated in this recent auditing 
standard seems to be how fraudsters seem to hnd a rationale for their actions. 


DETECTING FRAUD 


183 


Some of these rationalizations are time-wom, but they do creep into the 
picture when needed to justify the fraud: 

• I always intended it be a loan. 

• As soon as I hit the lottery, I was going to repay the monies (the 
gambler’s promise). 

• I could not help myself. 

• I am underpaid, and this just balances things out more. [Earth to fraud- 
ster: We are ail underpaid, except maybe for a few guys on Wall Street, 
who thi nk they are too.] 

• Nobody seemed to care or notice, so I thought it was OK. 

• They hâve plenty. 

• I really needed the money (for the boat, house, boathouse, fur coat, 
jewelry, vacation home, face lift etc.). 

• I could not let (insert family relation or close personal friend’s name 
here) see me in this situation. 

• My (insert family relation here, also) was going to (leave/shame/kill) 
me if I was not able to get them a (insert name of worldly good here). 

As you can see, motivation and rationalization can be tied together, with 
some factors providing two legs of the three-legged stool. Once in a while we 
read stories about family medical bills, personal tragédies, and other issues in 
life that can be devastating motivators for fraud. Often it is pride and shame 
that keep people from seeking the help that is available in our society. An 
open and compassionate management or human resources fonction can be a 
great support to those in need, and often can help employées to find solutions 
within the law. Imagine how difficult things will be when the fraudster is 
incarcerated or is unable to find work because of a criminal record. How 
much help will the person be from that position to their family and those in 
true need? 


DETECTING FRAUD 

As an auditor by profession, I must say that it is embarrassing how few 
frauds are actually detected during independent audits. While management 
stands dumbfounded at frauds that are found by accident, and says “That’ s 
what I hired you for,” the reality is that financial statement audits are not 
forensic, and management would not be willing (or perhaps able) to pay for 
a true forensic audit every year. The auditor plans the audit to find material 
misstatements of the financial statements from error or fraud, but many frauds 


184 


FRAUD RISKS AND ENTITY SELF-DEFENSE 


are clever enough to escape détection until they are quite large — and by 
that time they often stand out like a sore thumb. Most frauds that in volve 
numbers in the financial statements eventually fall over of their own weight. 
For example, inventory frauds often need to keep increasing each year to keep 
the bail rolling, and they often grow so large that détection is just a matter 
of time. Nonaccountants sometimes do not realize that an overstatement of 
ending inventory in year 1 winds up as additional costs of sales in year 2, 
depressing profits by the amount that last year they were raised. Double-entry 
bookkeeping can be the demise of many a fraudster. 

More frauds are detected because of a tip — someone says something — 
than by any other means. The majority of frauds today are detected either by 
tips or by accident. In small businesses, accidentai discovery actually exceeds 
tips slightly as the source of détection. Better internai Controls, more auditor 
attention to Controls design, and more fraud awareness should change these 
statistics over time. 


SOME COMMON FRAUD RISK AREAS AND SCHEMES 

The frauds listed here are certainly not ail the risk areas to consider, but 
these are a few of the areas you might think through, particularly as you are 
reviewing your entity’s Controls in these areas. 

Sales and Cash Receipts 

• Common risks can include not even recording certain sales and fun- 
neling the money outside the entity. Such skimming can be hard to 
detect, but declining profit margins can be a sign. “Underringing” sales 
also allows the siphoning off of a part of money. Directly s ki mming 
cash contributions (e.g., to a charity) is not uncommon (and frightfully 
hard to detect). 

• In some cases, sales are actually diverted to another supplier by a sales- 
person and a kickback greater than the usual (“skimpy”) com mi ssion 
cornes back to the salesperson for the referral. 

• The deliberate underpricing of sales can lead to a kickback for those 
accepting the order. 

• Lapping of receipts can occur when cash customer receipts are taken 
and the sales to those customers are covered on the books by later 
receipts from other customers that are credited to the stolen cash cus- 
tomer accounts. 


SOME COMMON FRAUD RISK AREAS AND SCHEMES 


185 


Bogus crédit memoranda can be issued, or retums and allowances can 
be diverted for personal gain. In one case, cash deposits on rental 
fumiture were diverted and never deposited, but refunds of deposits 
were expended from company funds on présentation of the deposit 
receipt. 


Purchasing and Cash Disbursements 

A myriad of possibilities can go on here. 

• Purchasing departments are notorious breeding grounds for kickback 
schemes, where suppliers reward “faithful” customers of their product. 

• Kickback schemes can also exist where other services (e.g., landscap- 
ing, painting, driveway paving, etc.) are contracted for at higher-than- 
competitive rates, and the monies are diverted back to the inside 
contracting person. Sometimes the billed-for work is not even per- 
formed (are you an electrical inspecter?). Overpriced janitorial supplies 
are practically legendary in fraud annals. 

• Goods that are under-spec can be substituted for ordered items, result- 
ing in defective goods. Consider the liability when airplane engine 
bolts are defective. 

• Merchandise can sometimes be ordered through the entity but delivered 
or diverted to an employée’ s personal use. 

• Unreasonable expense reimbursement requests can divert organization 
funds. 

• Legitimate rebates for business purchases can be diverted for personal 
gain when the rebate form is completed in the employée’ s name. 

• Petty cash (it may not be petty to someone) used to be an area of 
audit interest, but is generally ignored in the financial audit today. It 
is still a great source of fictional writing. The petty cash (and cash 
advance) teller for a certified public accounting (CPA) firm was fired 
and prosecuted after 20 years of service for theft. While the auditor 
payout limit was $100, there were thousands of dollars behind the 
window. Pay attention to anything that is cash. 

Payroll 

• In smaller businesses, it is easy to recognize when a bogus employée 
is being paid, but in a municipality or State or in a large organization, 
how is this risk addressed? 


186 


FRAUD RISKS AND ENTITY SELF-DEFENSE 


As the payroll clerk, is there anything wrong with giving yourself a 
raise for a few weeks or months during the year? Then, before the 
auditor is scheduled to show up and test the recent payrolls you can 
take a pay-cut down to your approved salary. 

Another opportunity for you as the payroll clerk is to hâve other 
employées pay part of your taxes. You give yourself full crédit on 
your payroll tax forms. Uncle Sam himself will send you the payoff 
check in the form of a “refund.” 

Expense reimbursements are a notorious area for créative writing. Let’s 
generate some expenses! 


Equipment, Inventory and Anything Not Bolted Down 

While employées might covet a painting or a vase, the loss of office equip- 
ment, particularly computers, is common and potentially disastrous to a 
business or entity. In office buildings, these thefts often occur at night or 
over the weekend. Some brazenly occur during office hours. An insider 
leaving the outside back door open (or taping the lock so that the lock 
will not latch) or a complicit cleaning staff person may set this up. Sud- 
denly the fact that you hâve not made timely data backups becomes a big 
issue, as ail your records are somewhere, but not in your office. Do not 
think that the fact that you hâve a password on the computer renders it 
useless. Au contraire, many computers wind up being disassembled and par- 
titioned for parts. In other cases, skilled hackers can usually get data off 
the hard drive if they want it and/or can wipe the disk clean and reinstall 
software. 

What makes that really bad news for you is that State and fédéral laws can 
hold you responsible if an individual’s unencrypted personal data (e.g., social 
security number, driver’ s license, access information to a financial account) 
is lost. 

For example, in 2003, California passed a law dealing with identity theft, 
privacy, and security issues. Under this law, a State agency, person, or busi- 
ness that conducts business in California and owns or licenses computerized 
data that includes personal information must disclose any breach of the secu- 
rity of the data to the data owner. For more details of the law’ s requirements, 
see California Civil Code Sections 1798.82 and 1798.29. In similar législa- 
tion in December 2005, the New York State Information Security Breach and 
Notification Act became effective. The law was prompted by high number of 
information security breaches that occurred in 2005 as well as the information 


DEFENSIVE MEASURES 


187 


breach at ChoicePoint . 3 The time to start considering the risks of information 
loss and having unencrypted data is not the day after the equipment and data 
take a walk. 

Consult with your business advisor regarding such risks. A lot of commerce 
in the United States goes on in New York and California . 4 

If you are interested in consumer privacy issues, you might visit www. 
consumerprivacyguide.org. 

In some cases, inventory frauds hâve taken on massive proportions, such 
as the Great Salad Oil Swindle of décades ago, where storage tanks of “oil” 
were filled with water and a skim of oil floated on top to coat the measuring 
rods. While auditors worked through the maze of seemingly similar (and in 
actuality the same) storage tanks, workers were busy renumbering them so 
that “new” ones could be tested. 

In other cases, inventory was deliberately moved to where the inventory 
counts were going to happen so that the counts would agréé with the account- 
ing records in those locations. This hides shortages in those locations. This 
scam has happened in the retail industry and in trader leasing businesses. 
Sure, let them know when and where the counts are going to happen well in 
advance. Remember what was said earlier about monitoring and testing not 
becoming predictable? 

Most inventory frauds fall over at some point and get discovered. I would 
pick a better fraud than this type if I had a choice. 

DEFENSIVE MEASURES 

If you enumerate some of the fraud problems you might hâve when you are 
documenting and assessing Controls (put these issues in the “risks” column 
in the Committee of Sponsoring Organizations matrix), you will generally 
find that some Controls solutions corne to mind. But it can be a good idea to 
consult with your independent auditor or a fraud professional to get a take 
on any unique issues you might face. While less than a material fraud may 
be hard to detect with standard audit procedures, the CPA is generally pretty 


3. In 2005, the Personal financial records of more than 163,000 ChoicePoint consumers in tts 
database had been compromised. In 2006, ChoicePoint settled with the Fédéral Trade Commis- 
sion for $10 million in civil penalties and $5 million for consumer redress (http://www.ftc.gov/ 
opa/2006/01/choicepoint.shtm) Readers interested in this subject may find this website of interest: 
www.privacyrights.org/ar/ChronDataBreaches.htm 

4. An interesting article on this topic is “Laptop Lockdown: Companies Start Holding Employées 
Responsible for Security of Portable Devices They Use for Work,” Wall Street Journal, June 28, 
2006. 


188 


FRAUD RISKS AND ENTITY SELF-DEFENSE 


savvy at understanding such risks, diagnosing the problems, and suggesting 
some possible resolutions. Focus both on prévention and détection through 
monitoring or testing Controls. 

I sometimes liken the rôle of the CPA or fraud examiner in public account- 
ing to a pathologist. When he or she knows the end resuit, he or she can 
usually trace it back and identify a reason or a possible solution. But actually 
detecting a real fraud in an audit is more like general practice in medicine. 
It’s a matter of diagnosis — with a lot of art and luck going along with the 
science. How many award-winning pathologists are selected as primary care 
physicians? 

Another protection many businesses ignore is bonding employées who 
hâve significant financial responsibilities, especially when Controls are diffi- 
cult to design because of the limited size of the entity. Bonding may provide 
some sort of protection and makes it clear that you do care about possible 
theft and malfeasance. 

FOOD FOR THOUGHT: SOME EXAMPLES 

Here are a few snippets to test your faith in ail of humanity. 5 These are just 
variations on thèmes that we hâve discussed previously and probably happen 
every week in some form somewhere. The blessing is that so many people 
are honest and hardworking, but as Louie De Palma (Danny DeVito), the 
dispatcher for the cabbies at the Sunshine Cab Company in the TV sériés 
Taxi remarked “There is some number. . .” 

• Maplewood mom admits $1.5M theft from employer, “the grey haired 
bookkeeper and mother. . .used her office computer to gamble away 
$1.5 million belonging to the firm and the [legal] firm’s clients. . .his 
trusted bookkeeper of 17 years. . .she wrote ail the checks.” (Septem- 
ber 7, 2006) 

• Minister indicted on charges he stole $200,000 from elderly. “. . .from 
elderly residents he was assigned to protect as their court-appointed 
guardian. . .by, among other things, keeping money for himself. . .in 
another case he paid himself more than the amount set by judicial 
order. . .the supervision mechanism broke down.” (June 30, 2006) 

• Contractor accus ed in big theft ofenergy rebates found dead. “. . .stea- 
ling millions from the State Smart Start Buildings Program over a 


5. Unless otherwise noted, these examples were ail drawn from the Star-Ledger (New Jersey) on 
the dates indicated. 


FOOD FOR THOUGHT: SOME EXAMPLES 


189 


six-year period by inflating costs or billing the State for installations 
that were never done. . .$9 million. . .[another alleged conspirator] 
JCP&L’s coordinator for the incentive programs. . .défendants split the 
money after allegedly funneling the funds through a sériés of phantom 
companies” (February 1, 2007). 

Ex-rabbi admits stealing funds for the needy. “had control of the 
Rabbi’s discretionary fund. . .His was the sole signature needed on 
the account” (February 1, 2007). 

He stole from the poor and split it with a friend. Salvation Army 
employée pleads guilty to embezzling $385,000. “. . .admitted to cutting 
585 checks worth more than $385,000, then passing them to a friend 
who cashed them and split the proceeds. . .he covered his tracks by 

drafting invoices of checks he claimed were for needy beneficiaries 

The Salvation Army discovered the losses during an audit in 2002” 
(July 27, 2006). 

Ex-health worker accused of scamming infant nutrition program. 
“ . . .used a fédéral program to help poor mothers as her ‘personal 
piggy bank,’ stealing hundreds of thousands of dollars. . .she found 
various ways to skim money from the program. . .including using the 
program’ s crédit card to buy tens of thousands of dollars worth of items 
and services for herself. . .‘a hard-working decent woman’. . .given ‘her 
blood, sweat and effort to hold that program together. . ” (November 
10, 2006). 

At UMDNJ, an attempt to cover up $36M fraud. Monitor: No-show jobs 
for MD s led to referrals. “The State’ s medical university. . .bolster its 
troubled cardiac surgery program. . .18 cardiologists. . .no-show teach- 
ing jobs at salaries of $150,000 or more. . . refer patients. . .violated 
fédéral anti-kickback laws since 2003. . .there may conceivably be 
problems in other departments. . .” (November 12, 2006). 

Former Seton Hall prof essor admits stealing $200,000. As advisor to 
radio station, he diverted ad revenue. “. . .oversaw WSOU 89.5 Pirate 
Radio for nearly 20 years. . .‘I took funds meant for the radio station 
and deposited them into a personal bank account’. . .also charged with 
leasing out two of Seton Hall’ s sub-frequencies to local community 
stations and diverting the lease payments to. . .a fake company. . ,”(July 
13, 2006). 

Priest says raffle winners were “usually” real people. “. . .32 counts 
for misappropriating more than $600,000 in church funds. . .would 
see Father Bob around town. . .wondered why. . .‘never heard of any 


190 


FRAUD RISKS AND ENTITY SELF-DEFENSE 


Washington résident’ s winning. . .it always seemed to be people from 
out of town’. . .first suspected wrongdoing . . .a 20-year-old part-time 
bookkeeper. . .happened to open a bank statement before [the priest] 
could look at it. . . the 158-student K-5 school. . .was closed this past 
spring due to lack of funds” (September 22, 2006). 

San Diego charges. “The SEC has announced it has resolved its 
pension-fund fraud case against San Diego, with the City agreeing not 
to commit illégal shenanigans in the future. . .elected officiais wanted 
to keep its municipal workers happy. . .intentionally under-funded the 
pension fund for years. They used the “savings” to award. . .more ben- 
efits, some rétroactive. . .not a word of the fund’ s financial troubles to 
potential investors or bond analysts as it raised nearly $300 million 
in new municipal securities. . .levying fines or recommending criminal 
charges against culpable high-level city officiais” (éditorial by Nicole 
Gelinas in the Wall Street Journal, November, 27, 2006). 

Activist admits theft from nonprofit group. He says he took $156K. 
“. . .volunteer service. . .slush fund to keep himself in high style at fine 
hôtels and restaurants. . .used cancer awareness money to buy $275 
pair of designer Pelle shoes and a $374 fedora from a specialty shop 
in San Francisco. . .‘he was a trusted and well respected member of 
our organization’” (December 7, 2006). 

Key player gets prison in IRAQ contracts fraud. “. . .$8 million in 
Iraq reconstruction money through a gifts-for-contracts scheme. . .Con- 
tractors and military officers made sure [he] got the contracts. . .” 
(February 17, 2007). 

Morgan Stanley Settles with SEC on Systems issue. “. . .will pay $10 
million to settle allégations of a massive breakdown in Systems to pre- 
vent misuse of insider information. . .lacked adéquate policies and pro- 
cedures to safeguard against misuse of nonpublic information” {Wall 
Street Journal, June 28, 2006). 

Woman admits rôle in song royalty scheme; $1.2 million stolen from 
guild bank account. “. . .receiving more than $1 million in unauthorized 
royalty checks from a group representing songwriters. . .depositing in 
excess of $400,000 in royalty checks into her bank account. . .from an 
account for songwriters who could not be located” (August 31, 2006). 
EMT squad officer indicted in theft. “. . .charges he stole more than 

$144,000 the treasurer since 1999, and the sole signatory on the 

first aid squad bank account. . .also applied for a débit card. . .bills 


FOOD FOR THOUGHT: SOME EXAMPLES 


191 


weren’t being paid as quickly as they should hâve. . .used the money 
to pay personal bills and buy personal items” (August 8, 2006). 

NY school exec gets prison in $11 M theft. “. . .‘the most extraordinary 
theft’ from a school System in American history. . .school district’ s for- 
mer superintendent for business. . .agreed to repay $4.3 million. . .State 
auditor’s found. . .because some of the records are missing or were 
destroyed, prosecutors were only able to link about $7 million” 
(September 20, 2006). 

Ex-workers indicted in expense scam. Pair charged with cashing $1.4M 
in checks. “. . .creating. . .bogus expense checks and cashing them. . . 
handles marketing materials that go to physicians. . .sued by an insur- 
ance company that reimbursed. . .its alleged losses. . .287 fraudulent 
employée expense reimbursement checks. . .accounting clerk became 
suspicious in 2004 upon finding an employée expense check payable 
to one employée, but registered in the accounting records to a different 
employée. . .there was no backup documentation to support this check” 
(September 28, 2006). 

2 pals, hooked on gambling, pay the price. “. . .stealing more than 
$267,000 from the accounting firm to pay off gambling debts to an 
alleged mobster. . .start stealing money from [accounting firm], where 
he had access to checks. . .like ‘found money’. . .accounting directors 
at [accounting firm’ s] national finance office discovered three checks 
that had been falsely endorsed” (December 14, 2006). 

Two ex-tax collectors charged with $1.1 million rip-off. “Two former 
employées of a firm that collected delinquent taxes for the State were 
indicted yesterday on charges that they overcharged taxpayers by more 
than $1.1 million” (February 6, 2007). 

Priest is blamed for missing cash. Greek parish says $500,000 unac- 
counted for. “Parishioners said he disbanded the church council and 
took direct control of its finances. . . .After he left. . .reassigned to a 
church in Greece. . .[they] discovered more than a half million dollars 
in donations. . .was unaccounted for. . .dozens of relies. . .missing. . . 
filed a theft complaint. . .after they discovered he was selling church 
items on the Internet auction site eBay” (November 29, 2006). 

Man must repay the $28,751 that he stole while at UMDNJ. “Work- 
ing as a billing départaient cashier. . .reimbursing people who used 
their crédit cards to cover bills that later were paid to the hospital by 
health insurers. . .used to pay for clothing, fumiture and meals. . .used 


192 


FRAUD RISKS AND ENTITY SELF-DEFENSE 


hospital funds to pay his personal crédit card debts” (September 30, 
2006). 

Not ail interesting cases hit the news media. One university accounting 
départaient chair was found donating outdated and unused university com- 
puters to a charity and taking a personal tax déduction for the property (it still 
had the university property tags attached). Internai audit uncovered the miss- 
ing property issue during an inventory of equipment. And then there are some 
stories that just stay with you for décades, such as the senior executive of an 
accounting firm who was jailed for submitting false matching-gift donation 
forms and having the university kick back the entirety of his “contribution” 
after the matching gift was received. The kickback checks were made out 
from the university to a contractor working on the executive’ s home in a 
posh suburb. 


WRAPPING UP 

Appendix 8A describes antifraud programs and Controls that were released 
with SAS No. 99, Considération of Fraud in a Financial Statement Audit . 
While the smallest of entities may hâve difficulty justifying such programs 
on their own, in combination with other entities in a community or industry 
group, they may be able to implement a number of the programs. 

The point here is not to create a fraud-phobic reaction, but to increase 
the awareness of fraud risk and abuse to motivate better Controls design and 
monitoring. The tone at the top is clearly an issue in any organization, whether 
small or large, public or private. Fraud can happen in your business, and the 
business/entity to which you devote your time and energy can be destroyed 
with false trust or a careless or négligent attitude that becomes exploited. If 
you care about the organization you hâve built or work for, and care for its 
future, you need to take steps to ensure it is protected against this sort of 


nonsense. 


Appendix 8A 

Management Antifraud 
Programs and Controls: An 
Elément of The Control 
Environment 


The following exhibit was published with Statement of Auditing Standards 
No. 99 (The Auditor’s Considération ofFraud in an Audit of Financial State- 
ments) 1 and is reproduced with the permission of the American Institute of 
Certified Pubbc Accountants. It is not part of the auditing standards, but 
it is a statement of best practices and is endorsed by a number of profes- 
sional and business organizations. The author of this book was a member 
of the Auditing Standards Board that approved SAS No. 99 including this 
Exhibit. 

Fraud is included in the Committee of Sponsoring Organizations (COSO) 
Controls framework as an element in each of the five components of internai 
control over financial reporting. An element that often relates to entity-level 
Controls is a company’ s antifraud program. Many organizations hâve imple- 
mented formai programs in recent years, and professional organizations hâve 
assisted companies in establishing Controls, training programs, and reporting 
mechanisms to deter and detect fraud. Most likely, the recent implémenta- 
tion of such a program means that documentation is readily available, and 
the company may hâve monitoring data that can assist you in understanding 
management’ s basis for their assessment of effectiveness. 


1. AICPA, New York, NY 2001. 


193 


194 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


Nevertheless, regarding the control environment, auditors must base their 
assessment of the program on the procedures they apply. 

In reading the program documentation, auditors consider: 

• Is the program sufficiently comprehensive in scope for the type of 
business conducted by the company? 

• Does it apply to the entire company or to a portion of the company? 

• How is the program implemented? 

• Is it reaching ail of the right people? 

• Are employées aware of program and the toll-free tip l in e? 

• Are tips actively investigated and resolved? 

• Hâve there been any disciplinary or legal actions taken based on find- 
ings? 

In interviews with employées and management in different locations, audi- 
tors can confirm awareness of the program and its goals and gain information 
about the program’ s effectiveness. 

The exhibit can serve as a resource and a benchmark for your understand- 
ing the éléments of an antifraud program. 

The exhibit discusses these topics: 

• Creating a culture of honesty and high ethics — préventive procedures 

• Evaluating antifraud processes and Controls — détective procedures 

• Developing an appropriate oversight process — the rôle of management 
and others 

• A sample code of conduct 

• A sample ethics statement 

The Web sites listed at the end of the document contain a wealth of addi- 
tional educational and resource materials relating to fraud prévention and 
détection. 

MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 
Guidance to Help Prevent, Deter, and Detect Fraud 

Note 

(This exhibit is reprinted for the reader's convenience but is not an intégral part of this 
statement.) 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


195 


This document is being issued jointly by the following organizations: 

American Institute of Certified Public Accountants 

Association of Certified Fraud Examiners 

Financial Executives International 

Information Systems Audit and Control Association 

The Institute of Internai Auditors 

Institute of Management Accountants 

Society for Human Resource Management 

In addition, we would also like to acknowledge the American Accounting 
Association, the Defense Industry Initiative, and the National Association of 
Corporate Directors for their review of the document and helpful comments 
and materials. 

We gratefully acknowledge the valuable contribution provided by the 
Anti-Fraud Détection Subgroup: 

Daniel D. Montgomery, Chair 
Toby J. F. Bishop 
Dennis H. Chookaszian 
Susan A. Finn 
Dana Hermanson 

Finally, we thank the staff of the American Institute of Certified Public 
Accountants for their support on this project: 

Charles E. Landes Kim M. Gibson 

Director Technical Manager 

Audit and Attest Standards Audit and Attest Standards 


David L. Landsittel 
Carol A. Langelier 
Joseph T. Wells 
JaniceWilkins 


Richard Lanza Hugh Kelsey 

Senior Program Manager Program Manager 

Chief Operating Office Knowledge Management 

This document was commissioned by the Fraud Task Force of the AICPA’ s 
Auditing Standards Board. This document has not been adopted, approved, 
disapproved, or otherwise acted upon by a board, committee, goveming body, 
or membership of the above issuing organizations. 


PREFACE 


Some organizations hâve significantly lower levels of misappropriation of 
assets and are less susceptible to fraudulent financial reporting than other 
organizations because these organizations take proactive steps to prevent or 
deter fraud. It is only those organizations that seriously consider fraud risks 
and take proactive steps to create the right kind of climate to reduce its 
occurrence that hâve success in preventing fraud. This document identifies 
the key participants in this antifraud effort, including the board of directors, 
management, internai and independent auditors, and certified fraud examiners. 

Management may develop and implement some of these programs and 
Controls in response to spécifie identified risks of material misstatement of 
financial statements due to fraud. In other cases, these programs and Controls 
may be a part of the entity’s enterprise-wide risk management activities. 

Management is responsible for designing and implementing Systems and 
procedures for the prévention and détection of fraud and, along with the board 
of directors, for ensuring a culture and environment that promotes honesty and 
ethical behavior. However, because of the characteristics of fraud, a material 
misstatement of financial statements due to fraud may occur notwithstand- 
ing the presence of programs and Controls such as those described in this 
document. 


Contents 


Introduction 198 

Creating a Culture of Honesty and High Ethics 1 99 

Setting the Tone at the Top 199 

Creating a Positive Workplace Environment 201 

Hiring and Promoting Appropriate Employées 202 

Training 203 

Confirmation 203 

Discipline 204 

Evaluating Antifraud Processes and Controls 205 

Identifying and Measuring Fraud Risks 205 

Mitigating Fraud Risks 206 

Implementing and Monitoring Appropriate Internai Controls 206 

Developing an Appropriate Oversight Process 207 

Audit Committee or Board of Directors 207 

Management 209 

Internai Auditors 210 

Independent Auditors 211 

Certified Fraud Exami ners 212 

Other Information 212 

Attachment 1 : AICPA "CPA' s Handbook of Fraud and 
Commercial Crime Prévention,” An Organizational Code 
ofConduct 212 

Attachment 2: Financial Executives International Code of Ethics 

Statement 216 


198 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


INTRODUCTION 

Fraud can range from minor employée theft and unproductive behavior to 
misappropriation of assets and fraudulent financial reporting. Material finan- 
cial statement fraud can hâve a significant adverse effect on an entity’ s market 
value, réputation, and ability to achieve its strategie objectives. A number 
of highly publicized cases hâve heightened the awareness of the effects of 
fraudulent financial reporting and hâve led many organizations to be more 
proactive in taking steps to prevent or deter its occurrence. Misappropriation 
of assets, though often not material to the financial statements, can nonethe- 
less resuit in substantial losses to an entity if a dishonest employée has the 
incentive and opportunity to commit fraud. 

The risk of fraud can be reduced through a combination of prévention, 
deterrence, and détection measures. However, fraud can be difficult to detect 
because it often involves concealment through falsification of documents 
or collusion among management, employées, or third parties. Therefore, it 
is important to place a strong emphasis on fraud prévention, which may 
reduce opportunities for fraud to take place, and fraud deterrence, which 
could persuade individuals that they should not commit fraud because of the 
likelihood of détection and punishment. Moreover, prévention and deterrence 
measures are much less costly than the time and expense required for fraud 
détection and investigation. 

An entity’ s management has both the responsibility and the means to 
implement measures to reduce the incidence of fraud. The measures an orga- 
nization takes to prevent and deter fraud also can help create a positive 
workplace environment that can enhance the entity’ s ability to recruit and 
retain high-quality employées. 

Research suggests that the most effective way to implement measures to 
reduce wrongdoing is to base them on a set of core values that are embraced 
by the entity. These values provide an overarching message about the key 
principles guiding ail employées’ actions. This provides a platform upon 
which a more detailed code of conduct can be constructed, giving more spé- 
cifie guidance about permitted and prohibited behavior, based on applicable 
laws and the organization’s values. Management needs to clearly articulate 
that ail employées will be held accountable to act within the organization’s 
code of conduct. 

This document identifies measures entities can implement to prevent, deter, 
and detect fraud. It discusses these measures in the context of three funda- 
mental éléments. Broadly stated, these fundamental éléments are (1) create 
and maintain a culture of honesty and high ethics; (2) evaluate the risks 


CREATING A CULTURE OF HONESTY AND HIGH ETHICS 199 

of fraud and implement the processes, procedures, and Controls needed to 
mitigate the risks and reduce the opportunities for fraud; and (3) develop an 
appropriate oversight process. Although the entire management team shares 
the responsibility for implementing and monitoring these activities, with over- 
sight from the board of directors, the entity’s chief executive officer (CEO) 
should initiate and support such measures. Without the CEO’ s active support, 
these measures are less likely to be effective. 

The information presented in this document generally is applicable to enti- 
ties of ail sizes. However, the degree to which certain programs and Controls 
are applied in smaller, less-complex entities and the formality of their applica- 
tion are likely to differ from larger organizations. For example, management 
of a smaller entity (or the owner of an owner-managed entity), along with 
those charged with govemance of the financial reporting process, are respon- 
sible for creating a culture of honesty and high ethics. Management also 
is responsible for implementing a System of internai Controls commensurate 
with the nature and size of the organization, but smaller entities may find that 
certain types of control activities are not relevant because of the involvement 
of and Controls applied by management. However, ail entities must make it 
clear that unethical or dishonest behavior will not be tolerated. 

CREATING A CULTURE OF HONESTY AND HIGH ETHICS 

It is the organization’ s responsibility to create a culture of honesty and high 
ethics and to clearly communicate acceptable behavior and expectations of 
each employée. Such a culture is rooted in a strong set of core values (or value 
System) that provides the foundation for employées as to how the organization 
conducts its business. It also allows an entity to develop an ethical framework 
that covers (1) fraudulent financial reporting, (2) misappropriation of assets, 
and (3) corruption as well as other issues. 2 

Creating a culture of honesty and high ethics should include the following. 

Setting the Tone at the Top 

Directors and officers of corporations set the “tone at the top” for ethical 
behavior within any organization. Research in moral development strongly 
suggests that honesty can best be reinforced when a proper example is 
set — sometimes referred to as the tone at the top. The management of an 
entity cannot act one way and expect others in the entity to behave differently. 


2, Corruption includes bribery and other illégal 


200 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


In many cases, particularly in larger organizations, it is necessary for man- 
agement both to behave ethically and openly communicate its expectations 
for ethical behavior because most employées are not in a position to observe 
management’ s actions. Management must show employées through its words 
and actions that dishonest or unethical behavior will not be tolerated, even 
if the resuit of the action benefits the entity. Moreover, it should be évident 
that ail employées will be treated equally, regardless of their position. 

For example, statements by management regarding the absolute need to 
meet operating and financial targets can create undue pressures that may lead 
employées to commit fraud to achieve them. Setting unachievable goals for 
employées can give them two unattractive choices: fail or cheat. In contrast, 
a statement from management that says, “We are aggressive in pursuing 
our targets, while requiring truthful financial reporting at ail times,” clearly 
indicates to employées that integrity is a requirement. This message also 
conveys that the entity has “zéro tolérance” for unethical behavior, including 
fraudulent financial reporting. 

The cornerstone of an effective antifraud environment is a culture with a 
strong value System founded on integrity. This value System often is reflected 
in a code of conduct . 3 The code of conduct should reflect the core values 
of the entity and guide employées in making appropriate decisions during 
their workday. The code of conduct might include such topics as ethics, 
confidentiality, conflicts of interest, intellectual property, sexual harassment, 
and fraud . 4 For a code of conduct to be effective, it should be communicated 
to ail personnel in an understandable fashion. It also should be developed 
in a participatory and positive manner that will resuit in both management 
and employées taking ownership of its content. Finally, the code of conduct 
should be included in an employée handbook or policy manual, or in some 
other formai document or location (for example, the entity’ s intranet) so it 
can be referred to when needed. 

Senior financial officers hold an important and elevated rôle in corpo- 
rate govemance. While members of the management team, they are uniquely 


3. An entity’ s value System also could be reflected in an ethics policy, a statement of business 
principles, or some other concise summary of guiding principles. 

4. Although the discussion in this document focuses on fraud, the subject of fraud often is considered 
in the context of a broader set of principles that govem an organization. Some organizations, 
however, may elect to develop a fraud policy separate from an ethics policy. Spécifie examples 
of topics in a fraud policy might include a requirement to comply with ail laws and régulations and 
explicit guidance regarding making payments to obtain contracts, holding pricing discussions with 
competitors, environmental discharges, relationships with vendors, and maintenance of accurate 
books and records. 


CREATING A CULTURE OF HONESTY AND HIGH ETHICS 


201 


capable and empowered to ensure that ail stakeholders’ interests are appropri- 
ately balanced, protected, and preserved. For examples of codes of conduct, 
see Attachment 1, “AICPA ‘CPA’ s Handbook of Fraud and Commercial 
Crime Prévention,’ An Organizational Code of Conduct,” and Attachment 2, 
“Financial Executives International Code of Ethics Statement” provided by 
Financial Executives International. In addition, visit the Institute of Manage- 
ment Accountant’s Ethics Center at www.imanet.org/ethics for their mem- 
bers’ standards of ethical conduct. 

Creating a Positive Workplace Environment 

Research results indicate that wrongdoing occurs less frequently when em- 
ployées hâve positive feelings about an entity than when they feel abused, 
threatened, or ignored. Without a positive workplace environment, there are 
more opportunities for poor employée morale, which can affect an employée’ s 
attitude about committing fraud against an entity. Factors that detract from a 
positive work environment and may increase the risk of fraud include: 

• Top management that does not seem to care about or reward appro- 
priate behavior 

• Négative feedback and lack of récognition for job performance 

• Perceived inequities in the organization 

• Autocratie rather than participative management 

• Low organizational loyalty or feelings of ownership 

• Unreasonable budget expectations or other financial targets 

• Fear of delivering “bad news” to supervisors and/or management 

• Less-than-competitive compensation 

• Poor training and promotion opportunities 

• Lack of clear organizational responsibilities 

• Poor communication practices or methods within the organization 

The entity’ s human resources départaient often is instrumental in help- 

ing to build a corporate culture and a positive work environment. Human 
resource professionals are responsible for implementing spécifie programs 
and initiatives, consistent with management’ s strategies, that can help to mit- 
igate many of the detractors mentioned above. Mitigating factors that help 
create a positive work environment and reduce the risk of fraud may include: 

• Récognition and reward Systems that are in tandem with goals and 
results 

• Equal employment opportunities 

• Team-oriented, collaborative decision-making policies 


202 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


• Professionally administered compensation programs 

• Professionally administered training programs and an organizational 
priority of career development 

Employées should be empowered to help create a positive workplace envi- 
ronment and support the entity’s values and code of conduct. They should be 
given the opportunity to provide input to the development and updating of the 
entity’s code of conduct, to ensure that it is relevant, clear, and fair. Involving 
employées in this fashion also may effectively contribute to the oversight of 
the entity’s code of conduct and an environment of ethical behavior (see the 
section titled “Developing an Appropriate Oversight Process”). 

Employées should be given the means to obtain advice internally before 
making decisions that appear to hâve significant legal or ethical implications. 
They should also be encouraged and given the means to communicate con- 
cems, anonymously if preferred, about potential violations of the entity’s 
code of conduct, without fear of rétribution. Many organizations hâve imple- 
mented a process for employées to report on a confidential basis any actual 
or suspected wrongdoing, or potential violations of the code of conduct or 
ethics policy. For example, some organizations use a téléphoné “hotline” 
that is directed to or monitored by an ethics officer, fraud officer, general 
counsel, internai audit director, or another trusted individual responsible for 
investigating and reporting incidents of fraud or illégal acts. 

Hiring and Promoting Appropriate Employées 

Each employée has a unique set of values and personal code of ethics. When 
faced with sufficient pressure and a perceived opportunity, some employées 
will behave dishonestly rather than face the négative conséquences of honest 
behavior. The threshold at which dishonest behavior starts, however, will 
vary among individuals. If an entity is to be successful in preventing fraud, it 
must hâve effective policies that minimize the chance of hiring or promoting 
individuals with low levels of honesty, especially for positions of trust. 

Proactive hiring and promotion procedures may include: 

• Conducting background investigations on individuals being considered 
for employment or for promotion to a position of trust 5 

• Thoroughly checking a candidate’ s éducation, employment history, 
and personal references 


5. Some organizations also hâve considered follow-up investigations, particularly for employées in 
positions of trust, on a periodic basis (for example, every five years) or as circumstances dictate. 


CREATING A CULTURE OF HONESTY AND HIGH ETHICS 


203 


Periodic training of ail employées about the entity’s values and code 
of conduct, (training is addressed in the following section) 
Incorporating into regular performance reviews an évaluation of how 
each individual has contributed to creating an appropriate workplace 
environment in line with the entity’s values and code of conduct 
Continuous objective évaluation of compliance with the entity’s values 
and code of conduct, with violations being addressed immediately 


Training 

New employées should be trained at the time of hiring about the entity’s val- 
ues and its code of conduct. This training should explicitly cover expectations 
of ail employées regarding (1) their duty to communicate certain matters; 
(2) a list of the types of matters, including actual or suspected fraud, to be 
communicated along with spécifie examples; and (3) information on how to 
communicate those matters. There also should be an affirmation from senior 
management regarding employée expectations and communication responsi- 
bilities. Such training should include an element of “fraud awareness,” the 
tone of which should be positive but nonetheless stress that fraud can be 
costly (and detrimental in other ways) to the entity and its employées. 

In addition to training at the time of hiring, employées should receive 
refresher training periodically thereafter. Some organizations may consider 
ongoing training for certain positions, such as purchasing agents or employ- 
ées with financial reporting responsibilities. Training should be spécifie to an 
employée’ s level within the organization, géographie location, and assigned 
responsibilities. For example, training for senior manager level personnel 
would normally be different from that of nonsupervisory employées, and 
training for purchasing agents would be different from that of sales représen- 
tatives. 


Confirmation 

Management needs to clearly articulate that ail employées will be held ac- 
countable to act within the entity’s code of conduct. Ail employées within 
senior management and the finance function, as well as other employées in 
areas that might be exposed to unethical behavior (for example, procurement, 
sales and marketing) should be required to sign a code of conduct statement 
annually, at a minimum. 

Requiring periodic confirmation by employées of their responsibilities will 
not only reinforce the policy but may also deter individuals from committing 


204 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


fraud and other violations and might identify problems before they become 
significant. Such confirmation may include statements that the individual 
understands the entity’s expectations, has complied with the code of con- 
duct, and is not aware of any violations of the code of conduct other than 
those the individual lists in his or her response. Although people with low 
integrity may not hesitate to sign a false confirmation, most people will want 
to avoid making a false statement in writing. Honest individuals are more 
likely to retum their confirmations and to disclose what they know (including 
any conflicts of interest or other personal exceptions to the code of conduct). 
Thorough follow-up by internai auditors or others regarding nonreplies may 
uncover significant issues. 


Discipline 

The way an entity reacts to incidents of alleged or suspected fraud will send a 
strong deterrent message throughout the entity, helping to reduce the number 
of future occurrences. The following actions should be taken in response to 
an alleged incident of fraud: 

• A thorough investigation of the incident should be conducted . 6 

• Appropriate and consistent actions should be taken against violators. 

• Relevant Controls should be assessed and improved. 

• Communication and training should occur to reinforce the entity’s 
values, code of conduct, and expectations. 

Expectations about the conséquences of committing fraud must be clearly 
communicated throughout the entity. For example, a strong statement from 
management that dishonest actions will not be tolerated, and that viola- 
tors may be terminated and referred to the appropriate authorities, clearly 
establishes conséquences and can be a valuable deterrent to wrongdoing. 
If wrongdoing occurs and an employée is disciplined, it can be helpful to 
communicate that fact, on a no-name basis, in an employée newsletter or 
other regular communication to employées. Seeing that other people hâve 
been disciplined for wrongdoing can be an effective deterrent, increasing 
the perceived likelihood of violators being caught and punished. It also can 


6. Many entities of sufficient size are employing antifraud professionals, such as certified fraud 
examiners, who are responsible for resolving allégations of fraud within the organization and 
who also assist in the détection and deterrence of fraud. These individuals typically report their 
findings intemally to the corporate security, legal, or internai audit departments. In other instances, 
such individuals may be empowered directly by the board of directors or its audit committee. 


EVALUATING ANTIFRAUD PROCESSES AND CONTROLS 


205 


demonstrate that the entity is committed to an environment of high ethical 
standards and integrity. 

EVALUATING ANTIFRAUD PROCESSES AND CONTROLS 

Neither fraudulent financial reporting nor misappropriation of assets can occur 
without a perceived opportunity to commit and conceal the act. Organiza- 
tions should be proactive in reducing fraud opportunities by (1) identifying 
and measuring fraud risks, (2) taking steps to mitigate identified risks, and 
(3) implementing and monitoring appropriate préventive and détective inter- 
nai Controls and other de terrent measures. 

Identifying and Measuring Fraud Risks 

Management has primary responsibility for establishing and monitoring ail 
aspects of the entity’ s fraud risk-assessment and prévention activities. 7 Fraud 
risks often are considered as part of an enterprise-wide risk management pro- 
gram, though they may be addressed separately. 8 The fraud risk-assessment 
process should consider the vulnerability of the entity to fraudulent activity 
(fraudulent financial reporting, misappropriation of assets, and corruption) 
and whether any of those exposures could resuit in a material misstatement 
of the financial statements or material loss to the organization. In identify- 
ing fraud risks, organizations should consider organizational, industry, and 
country-specific characteristics that influence the risk of fraud. 

The nature and extent of management’ s risk assessment activities should 
be commensurate with the size of the entity and complexity of its opera- 
tions. For example, the risk assessment process is likely to be less formai 
and less structured in smaller entities. However, management should rec- 
ognize that fraud can occur in organizations of any size or type, and that 
almost any employée may be capable of committing fraud given the right 
set of circumstances. Accordingly, management should develop a heightened 


7. Management may elect to hâve internai audit play an active rôle in the development, monitoring, 
and ongoing assessment of the entity’ s fraud risk- management program. This may include an 
active rôle in the development and communication of the entity’ s code of conduct or ethics 
policy, as well as in investigating actual or alleged instances of noncompliance. 

8. Some organizations may perform a periodic self-assessment using questionnaires or other tech- 
niques to identify and measure risks. Self-assessment may be less reliable in identifying the risk 
of fraud due to a lack of expérience with fraud (although many organizations expérience some 
form of fraud and abuse, material financial statement fraud or misappropriation of assets is a 
rare event for most) and because management may be unwilling to acknowledge openly that they 
might commit fraud given sufficient pressure and opportunity. 


206 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


“fraud awareness” and an appropriate fraud risk-management program, with 
oversight from the board of directors or audit committee. 

Mitigating Fraud Risks 

It may be possible to reduce or eliminate certain fraud risks by making 
changes to the entity’s activities and processes. An entity may choose to 
sell certain segments of its operations, cease doing business in certain loca- 
tions, or reorganize its business processes to eliminate unacceptable risks. 
For example, the risk of misappropriation of funds may be reduced by imple- 
menting a central lockbox at a bank to receive payments instead of receiving 
money at the entity’s various locations. The risk of corruption may be reduced 
by closely monitoring the entity’s procurement process. The risk of financial 
statement fraud may be reduced by implementing shared services centers to 
provide accounting services to multiple segments, affiliâtes, or géographie 
locations of an entity’s operations. A shared services center may be less 
vulnérable to influence by local operations managers and may be able to 
implement more extensive fraud détection measures cost-effectively. 

Implementing and Monitoring Appropriate Internai Controls 

Some risks are inhérent in the environment of the entity, but most can be 
addressed with an appropriate System of internai control. Once fraud risk 
assessment has taken place, the entity can identify the processes, Controls, 
and other procedures that are needed to mitigate the identified risks. Effec- 
tive internai control will include a well-developed control environment, an 
effective and secure information System, and appropriate control and mon- 
itoring activities . 9 Because of the importance of information technology in 
supporting operations and the processing of transactions, management also 
needs to implement and maintain appropriate Controls, whether automated or 
manual, over computer-generated information. 

In particular, management should evaluate whether appropriate internai 
Controls hâve been implemented in any areas management has identified as 
posing a higher risk of fraudulent activity, as well as Controls over the entity’ s 
financial reporting process. Because fraudulent financial reporting may begin 
in an intérim period, management also should evaluate the appropriateness 
of internai Controls over intérim financial reporting. 


9. The report of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, 
Internai Control-Integrated Framework , provides reasonable criteria for management to use in 
evaluating the effectiveness of the entity’s System of internai control. 


DEVELOPING AN APPROPRIATE OVERSIGHT PROCESS 


207 


Fraudulent financial reporting by upper-level management typically in- 
volves override of internai Controls within the financial reporting process. 
Because management has the ability to override Controls, or to influence 
others to perpetrate or conceal fraud, the need for a strong value System 
and a culture of ethical financial reporting becomes increasingly important. 
This helps create an environment in which other employées will décliné 
to participate in committing a fraud and will use established communica- 
tion procedures to report any requests to commit wrongdoing. The potential 
for management override also increases the need for appropriate oversight 
measures by the board of directors or audit committee, as discussed in the 
following section. 

Fraudulent financial reporting by lower levels of management and employ- 
ées may be deterred or detected by appropriate monitoring Controls, such 
as having higher-level managers review and evaluate the financial results 
reported by individual operating units or subsidiaries. Unusual fluctuations in 
results of particular reporting units, or the lack of expected fluctuations, may 
indicate potential manipulation by departmental or operating unit managers 
or staff. 


DEVELOPING AN APPROPRIATE OVERSIGHT PROCESS 

To effectively prevent or deter fraud, an entity should hâve an appropriate 
oversight function in place. Oversight can take many forms and can be per- 
formed by many within and outside the entity, under the overall oversight of 
the audit committee (or board of directors where no audit committee exists). 

Audit Committee or Board of Directors 

The audit committee (or the board of directors where no audit committee 
exists) should evaluate management’ s identification of fraud risks, implé- 
mentation of antifraud measures, and création of the appropriate “tone at the 
top.” Active oversight by the audit com mi ttee can help to reinforce man- 
agement’ s com mi tment to creating a culture with “zéro tolérance” for fraud. 
An entity’ s audit committee also should ensure that senior management (in 
particular, the CEO) implements appropriate fraud deterrence and prévention 
measures to better protect investors, employées, and other stakeholders. The 
audit com mi ttee’ s évaluation and oversight not only helps make sure that 
senior management fulfills its responsibility, but also can serve as a deterrent 
to senior management engaging in fraudulent activity (that is, by ensuring 
an environment is created whereby any attempt by senior management to 


208 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


involve employées in committing or concealing fraud would lead promptly 
to reports from such employées to appropriate persons, including the audit 
committee). 

The audit committee also plays an important rôle in helping the board of 
directors fulfill its oversight responsibilities with respect to the entity’s finan- 
cial reporting process and the System of internai control . 10 In exercising this 
oversight responsibility, the audit committee should consider the potential 
for management override of Controls or other inappropriate influence over 
the financial reporting process. For example, the audit committee may obtain 
from the internai auditors and independent auditors their views on man- 
agement’ s involvement in the financial reporting process and, in particular, 
the ability of management to override information processed by the entity’s 
financial reporting System (for example, the ability for management or others 
to initiate or record nonstandard journal entries). The audit committee also 
may consider reviewing the entity’s reported information for reasonableness 
compared with prior or forecasted results, as well as with peers or industry 
averages. In addition, information received in communications from the inde- 
pendent auditors * 11 can assist the audit committee in assessing the strength of 
the entity’s internai control and the potential for fraudulent financial reporting. 

As part of its oversight responsibilities, the audit committee should encour- 
age management to provide a mechanism for employées to report concems 
about unethical behavior, actual or suspected fraud, or violations of the 
entity’s code of conduct or ethics policy. The committee should then receive 
periodic reports describing the nature, status, and eventual disposition of 
any fraud or unethical conduct. A summary of the activity, follow-up and 
disposition also should be provided to the full board of directors. 

If senior management is involved in fraud, the next layer of management 
may be the most likely to be aware of it. As a resuit, the audit com mi ttee (and 
other directors) should consider establishing an open line of communication 
with members of management one or two levels below senior management 
to assist in identifying fraud at the highest levels of the organization or 


10. See the Report of the NACD Blue Ribbon Commission on the Audit Committee, (Washington, 
D.C.: National Association of Corporate Directors, 2000). For the board’s rôle in the oversight of 
risk management, see Report of the NACD Blue Ribbon Commission on Risk Oversight , (Wash- 
ington, D.C.: National Association of Corporate Directors, 2002). 

11. See Statement on Auditing Standards No. 60, Communication of Internai Control Related Matters 
Noted in an Audit (AICPA, Professional Standards , vol. 1, AU sec. 325), and SAS No. 61, 
Communications With Audit Committees (AICPA, Professional Standards, vol. 1, AU sec. 380), 
as amended. Author’s note: Since the publication of SAS No. 99 these SASs hâve been updated 
in SAS No. 112 and SAS No. 114. 


DEVELOPING AN APPROPRIATE OVERSIGHT PROCESS 


209 


investigating any fraudulent activity that might occur . 12 The audit committee 
typically has the ability and authority to investigate any alleged or suspected 
wrongdoing brought to its attention. Most audit committee charters empower 
the committee to investigate any matters within the scope of its responsibili- 
ties, and to retain legal, accounting, and other professional advisers as needed 
to advise the committee and assist in its investigation. 

Ail audit committee members should be financially literate, and each com- 
mittee should hâve at least one financial expert. The financial expert should 
possess: 

• An understanding of generally accepted accounting principles and 
audits of financial statements prepared under those principles. Such 
understanding may hâve been obtained either through éducation or 
expérience. It is important for someone on the audit com mi ttee to 
hâve a working knowledge of those principles and standards. 

• Expérience in the préparation and/or the auditing of financial state- 
ments of an entity of similar size, scope and complexity as the entity 
on whose board the committee member serves. The expérience would 
generally be as a chief financial officer, chief accounting officer, con- 
troller, or auditor of a similar entity. This background will provide 
a necessary understanding of the transactional and operational envi- 
ronment that produces the issuer’s financial statements. It will also 
bring an understanding of what is involved in, for example, appro- 
priate accounting estimâtes, accruals, and reserve provisions, and an 
appréciation of what is necessary to maintain a good internai control 
environment. 

• Expérience in internai govemance and procedures of audit committees, 
obtained either as an audit committee member, a senior corporate man- 
ager responsible for answering to the audit committee, or an extemal 
auditor responsible for reporting on the execution and results of annual 
audits. 


Management 

Management is responsible for overseeing the activities canied out by em- 
ployées, and typically does so by implementing and monitoring processes and 


12. Report of the NACD Best Practices Council: Coping with Fraud and Other Illégal Activity, 
A Guide for Directors, CEOs, and Senior Managers (1998), sets forth “basic principles” and 
“implémentation approaches” for dealing with fraud and other illégal activity. 


210 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


Controls such as those discussed previously. However, management also may 
initiate, participate in, or direct the commission and concealment of a fraud- 
ulent act. Accordingly, the audit committee (or the board of directors where 
no audit committee exists) has the responsibility to oversee the activities of 
senior management and to consider the risk of fraudulent financial reporting 
involving the override of internai Controls or collusion (see discussion on the 
audit committee and board of directors above). 

Public companies should include a statement in the annual report acknowl- 
edging management’ s responsibility for the préparation of the financial state- 
ments and for establishing and maintaining an effective System of internai 
control. This will help improve the public’ s understanding of the respective 
rôles of management and the auditor. This statement has also been generally 
referred to as a “Management Report” or “Management Certificate.” Such a 
statement can provide a convenient vehicle for management to describe the 
nature and manner of préparation of the financial information and the ade- 
quacy of the internai accounting Controls. Logically, the statement should be 
presented in close proximity to the formai financial statements. For example, 
it could appear near the independent auditor’ s report, or in the financial review 
or management analysis section. 

Internai Auditors 

An effective internai audit team can be extremely helpful in performing 
aspects of the oversight function. Their knowledge about the entity may 
enable them to identify indicators that suggest fraud has been committed. 
The Standards for the Professional Practice of Internai Auditing (IIA Stan- 
dards), issued by the Institute of Internai Auditors, State, “The internai auditor 
should hâve sufficient knowledge to identify the indicators of fraud but is not 
expected to hâve the expertise of a person whose primary responsibility is 
detecting and investigating fraud.” Internai auditors also hâve the opportunity 
to evaluate fraud risks and Controls and to recommend action to mitigate risks 
and improve Controls. Specifically, the IIA Standards require internai audi- 
tors to assess risks facing their organizations. This risk assessment is to serve 
as the basis from which audit plans are devised and against which internai 
Controls are tested. The IIA Standards require the audit plan to be presented 
to and approved by the audit committee (or board of directors where no audit 
committee exists). The work completed as a resuit of the audit plan provides 
assurance on which management’ s assertion about Controls can be made. 

Internai audits can be both a détection and a deterrence measure. Internai 
auditors can assist in the deterrence of fraud by examining and evaluating the 


DEVELOPING AN APPROPRIATE OVERSIGHT PROCESS 


211 


adequacy and the effectiveness of the System of internai control, commensu- 
rate with the extent of the potential exposure or risk in the various segments 
of the organization’ s operations. In carrying out this responsibility, internai 
auditors should, for example, détermine whether: 

• The organizational environment fosters control consciousness. 

• Realistic organizational goals and objectives are set. 

• Written policies (for example, a code of conduct) exist that describe 
prohibited activities and the action required whenever violations are 
discovered. 

• Appropriate authorization policies for transactions are established and 
maintained. 

• Policies, practices, procedures, reports, and other mechanisms are 
developed to monitor activities and safeguard assets, particularly in 
high-risk areas. 

• Communication channels provide management with adéquate and reli- 
able information. 

• Recommendations need to be made for the establishment or enhance- 
ment of cost-effective Controls to help deter fraud. 

Internai auditors may conduct proactive auditing to search for corruption, 
misappropriation of assets, and financial statement fraud. This may include 
the use of computer-assisted audit techniques to detect particular types of 
fraud. Internai auditors also can employ analytical and other procedures to 
isolate anomalies and perform detailed reviews of high-risk accounts and 
transactions to identify potential financial statement fraud. The internai audi- 
tors should hâve an independent reporting line directly to the audit committee, 
to enable them to express any concems about management’ s commitment to 
appropriate internai Controls or to report suspicions or allégations of fraud 
involving senior management. 


Independent Auditors 

Independent auditors can assist management and the board of directors (or 
audit committee) by providing an assessment of the entity’s process for iden- 
tifying, assessing, and responding to the risks of fraud. The board of directors 
(or audit committee) should hâve an open and candid dialogue with the inde- 
pendent auditors regarding management’ s risk assessment process and the 
System of internai control. Such a dialogue should include a discussion of 
the susceptibility of the entity to fraudulent financial reporting and the entity’s 
exposure to misappropriation of assets. 


212 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


Certified Fraud Examiners 

Certified fraud examiners may assist the audit committee and board of direc- 
tors with aspects of the oversight process either directly or as part of a team 
of internai auditors or independent auditors. Certified fraud examiners can 
provide extensive knowledge and expérience about fraud that may not be 
available within a corporation. They can provide more objective input into 
management’ s évaluation of the risk of fraud (especially fraud involving 
senior management, such as financial statement fraud) and the development 
of appropriate antifraud Controls that are less vulnérable to management over- 
ride. They can assist the audit com mi ttee and board of directors in evaluating 
the fraud risk assessment and fraud prévention measures implemented by 
management. Certified fraud examiners also conduct examinations to résolve 
allégations or suspicions of fraud, reporting either to an appropriate level of 
management or to the audit com mi ttee or board of directors, depending upon 
the nature of the issue and the level of personnel involved. 


OTHER INFORMATION 

To obtain more information on fraud and implementing antifraud programs 
and Controls, please go to the following Web sites where additional materials, 
guidance, and tools can be found. 

American Institute of Certified Public Accountants www.aicpa.org 
Association of Certified Fraud Examiners www.cfenet.com 
Financial Executives International www.fei.org 
Information Systems Audit and Control Association www.isaca.org 
The Institute of Internai Auditors www.theiia.org 
Institute of Management Accountants www.imanet.org 
National Association of Corporate Directors www.nacdonline.org 
Society for Human Resource Management www.shrm.org 

Attachment 1: AICPA "CPA's Handbook 
of Fraud and Commercial Crime Prévention/' An 
Organizational Code of Conduct 

The following is an example of an organizational code of conduct, which 
includes définitions of what is considered unacceptable, and the conséquences 
of any breaches thereof. The spécifie content and areas addressed in an 
entity’s code of conduct should be spécifie to that entity. 


OTHER INFORMATION 


213 


Organizational Code of Conduct 

The Organization and its employées must, at ail times, comply with ail appli- 
cable laws and régulations. The Organization will not condone the activities 
of employées who achieve results through violation of the law or unethical 
business dealings. This includes any payments for illégal acts, indirect contri- 
butions, rebates, and bribery. The Organization does not permit any activity 
that fails to stand the closest possible pubbc scrutiny. 

Ail business conduct should be well above the minimum standards required 
by law. Accordingly, employées must ensure that their actions cannot be 
interpreted as being, in any way, in contravention of the laws and régulations 
governing the Organization’ s worldwide operations. 

Employées uncertain about the appbcation or interprétation of any legal 
requirements should refer the matter to their superior, who, if necessary, 
should seek the advice of the legal department. 

General Employée Conduct 

The Organization expects its employées to conduct themselves in a busi- 
nesslike manner. Drinking, gambling, fighting, swearing, and similar unpro- 
fessional activities are strictly prohibited while on the job. 

Employées must not engage in sexual harassment, or conduct themselves 
in a way that could be construed as such, for example, by using inappropriate 
language, keeping or posting inappropriate materials in their work area, or 
accessing inappropriate materials on their computer. 

Conflicts of Interest 

The Organization expects that employées will perform their duties consci- 
entiously, honestly, and in accordance with the best interests of the Orga- 
nization. Employées must not use their position or the knowledge gained 
as a resuit of their position for private or personal advantage. Regardless 
of the circumstances, if employées sense that a course of action they hâve 
pursued, are presently pursuing, or are contemplating pursuing may involve 
them in a conflict of interest with their employer, they should immediately 
communicate ail the facts to their superior. 

Outside Activities, Employment, and Directorships 

Ail employées share a serious responsibility for the Organization’ s good pub- 
lic relations, especially at the community level. Their readiness to help with 
religious, charitable, educational, and civic activities brings crédit to the Orga- 
nization and is encouraged. Employées must, however, avoid acquiring any 


214 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


business interest or participating in any other activity outside the Organization 
that would, or would appear to: 

• Create an excessive demand upon their time and attention, thus depriv- 
ing the Organization of their best efforts on the job 

• Create a conflict of interest — an obligation, interest, or distraction — 
that may interfère with the independent exercise of judgment in the 
Organization’ s best interest 

Relationships with Clients and Suppliers 

Employées should avoid investing in or acquiring a financial interest for their 
own accounts in any business organization that has a contractual relationship 
with the Organization, or that provides goods or services, or both to the 
Organization, if such investment or interest could influence or create the 
impression of influencing their decisions in the performance of their duties 
on behalf of the Organization. 

Gifts, Entertainment, and Favors 

Employées must not accept entertainment, gifts, or personal favors that could, 
in any way, influence, or appear to influence, business decisions in favor of 
any person or organization with whom or with which the Organization has, or 
is likely to hâve, business dealings. Similarly, employées must not accept any 
other preferential treatment under these circumstances because their position 
with the Organization might be inclined to, or be perceived to, place them 
under obligation. 

Kickbacks and Secret Commi s sions 

Regarding the Organization’ s business activities, employées may not receive 
payment or compensation of any kind, except as authorized under the Orga- 
nization’ s rémunération policies. In particular, the Organization strictly pro- 
hibits the acceptance of kickbacks and secret commissions from suppliers 
or others. Any breach of this rule will resuit in immédiate termination and 
prosecution to the fullest extent of the law. 

Organization Funds and Other Assets 

Employées who hâve access to Organization funds in any form must fol- 
low the prescribed procedures for recording, handling, and protecting money 
as detailed in the Organization’ s instructional manuals or other explanatory 
materials, or both. The Organization imposes strict standards to prevent fraud 


OTHER INFORMATION 


215 


and dishonesty. If employées become aware of any evidence of fraud and dis- 
honesty, they should immediately advise their superior or the Law Department 
so that the Organization can promptly investigate further. 

When an employée’ s position requires spending Organization funds or 
incurring any reimbursable personal expenses, that individual must use good 
judgment on the Organization’ s behalf to ensure that good value is received 
for every expenditure. 

Organization funds and ail other assets of the Organization are for Organi- 
zation purposes only and not for personal benefit. This includes the personal 
use of organizational assets, such as computers. 

Organization Records and Communications 

Accurate and reliable records of many kinds are necessary to meet the Orga- 
nization’ s legal and financial obligations and to manage the affairs of the 
Organization. The Organization’ s books and records must reflect in an accu- 
rate and timely manner ail business transactions. The employées responsible 
for accounting and recordkeeping must fully disclose and record ail assets, 
liabilities, or both, and must exercise diligence in enforcing these require- 
ments. 

Employées must not make or engage in any false record or communication 
of any kind, whether internai or extemal, including but not limited to: 

• False expense, attendance, production, financial, or similar reports and 
statements 

• False advertising, deceptive marketing practices, or other misleading 
représentations 

Dealing with Outside People and Organizations 

Employées must take care to separate their personal rôles from their Organi- 
zation positions when communicating on matters not involving Organization 
business. Employées must not use organization identification, stationery, sup- 
plies, and equipment for personal or political matters. 

When communicating publicly on matters that involve Organization busi- 
ness, employées must not présumé to speak for the Organization on any 
topic, unless they are certain that the views they express are those of the 
Organization, and it is the Organization’ s desire that such views be publicly 
disseminated. 

When dealing with anyone outside the Organization, including public offi- 
ciais, employées must take care not to compromise the integrity or damage 


216 


MANAGEMENT ANTIFRAUD PROGRAMS AND CONTROLS 


the réputation of either the Organization, or any outside individual, business, 
or govemment body. 

Prompt Communications 

In ail matters relevant to customers, suppliers, govemment authorities, the 
public and others in the Organization, ail employées must make every effort 
to achieve complété, accurate, and timely communications — responding pro- 
mptly and courteously to ail proper requests for information and to ail com- 
plaints. 

Privacy and Confidentiality 

When handling financial and personal information about customers or others 
with whom the Organization has dealings, observe the following principles: 

1. Collect, use, and retain only the personal information necessary for 
the Organization’ s business. Whenever possible, obtain any relevant 
information directly from the person concemed. Use only reputable 
and reliable sources to supplément this i nf orm a tion. 

2. Retain information only for as long as necessary or as required by law. 
Protect the physical security of this information. 

3. Limit internai access to personal information to those with a legitimate 
business reason for seeking that information. Use only personal infor- 
mation for the purposes for which it was originally obtained. Obtain 
the consent of the person concerned before extemally disclosing any 
personal information, unless legal process or contractual obligation 
provides otherwise. 


Attachment 2: Financial Executives International 
Code of Ethics Statement 

The mission of Financial Executives International (FEI) includes signilicant 
efforts to promote ethical conduct in the practice of financial management 
throughout the world. Senior financial officers hold an important and elevated 
rôle in corporate govemance. While members of the management team, they 
are uniquely capable and empowered to ensure that ail stakeholders’ interests 
are appropriately balanced, protected, and preserved. This code provides prin- 
ciples that members are expected to adhéré to and advocate. They embody 
rules regarding individual and peer responsibilities, as well as responsibilities 
to employers, the public, and other stakeholders. 


OTHER INFORMATION 


217 


Ail members of FEI will: 

1. Act with honesty and integrity, avoiding actual or apparent conflicts 
of interest in personal and professional relationships. 

2. Provide constituents with information that is accurate, complété, objec- 
tive, relevant, timely, and understandable. 

3. Comply with rules and régulations of fédéral, State, provincial, and 
local governments, and other appropriate private and public regulatory 
agencies. 

4 . Act in good faith; responsibly; and with due care, compétence, and 
diligence, without misrepresenting material facts or allowing one’s 
independent judgment to be subordinated. 

5. Respect the confidentiality of information acquired in the course of 
one’s work except when authorized or otherwise legally obligated to 
disclose. Confidential information acquired in the course of one’s work 
will not be used for personal advantage. 

6. Share knowledge and maintain skills important and relevant to con- 
stituents’ needs. 

7. Proactively promote ethical behavior as a responsible partner among 
peers, in the work environment, and in the community. 

8. Achieve responsible use of and control over ail assets and resources 
employed or entrusted. 

The Auditing Standards Board and the Fraud Task Force gratefully acknow- 
ledge the contributions of Public Oversight Board Members Donald J. Kirk 
and Aulana L. Peters; the Public Oversight Board staff, and particularly 
George P. Fritz; former Task Force member Diana Hillier; members of a 
separate antifraud détection subgroup of the task force, including Daniel D. 
Montgomery, Toby J. F. Bishop, Dennis H. Chookaszian, Joseph T. Wells, 
and Janice Wilkins; AICPA General Counsel and Secretary Richard I. Miller; 
ASB Chair James S. Gerson; and many others, in the development of this 
Statement on Auditing Standards. 



Appendix 

Instructions for the Controls 
Design Assessment Case Study 


CONTROLS DESIGN ASSESSMENT— CASH RECEIPTS 
Parti 

Based on interviews, the Narrative of Controls Design was developed by 
your staff. The task will be to assess the Controls overall design regarding the 
revenues (contributions) by utilizing the COSO framework control objectives 
approach. 

The Contribution to Cash Cycle Template is a generic control objectives 
matrix that is being used to illustrate this task. The risks noted on the matrix 
are a first draft from your staff, and additional risks may be identified as the 
assessment proceeds. 


Part 2 

The Contribution to Cash Cycle with Control Procedures takes the next step in 
the process by adding to the matrix information obtained regarding the control 
objectives. In the process of completing the matrix, it is often necessary to 
gather more information than might be évident in the narrative. Trace some 
of the information in the narrative into the matrix. 

It is not necessary to initiate the Controls assessment process by preparing 
a narrative, but auditors or entities may sometimes already hâve narratives 
and/or flowcharts of processes and Controls prepared for major cycles. 


219 


220 INSTRUCTIONS FOR THE CONTROLS DESIGN ASSESSMENT CASE STUDY 

Part 3 

This matrix, Contribution to Cash Cycle Completed is where the assessment 
of design and implémentation takes place. Consider whether the procedures 
and Controls that are in place are sufficient to meet the control objective. 
Additionally, reconsider whether you hâve captured ail the important risks of 
what could go wrong. 

If the assessment exercise is limited to design and implémentation, then 
a walk-through or examination of some evidence that the procedure is being 
performed as described may be sufficient for now. That is what is being 
illustrated here in the Assessment column. 

If reporting on Controls effectiveness is an objective, tests of the effec- 
tive Controls over the period of asserted effectiveness would be performed. 
The illustrated matrix might then contain two Assessment columns — one for 
design and one for operating effectiveness. In addition, some matrices contain 
yet another column for Remediation in order to document changes in Controls 
when either design or operating effectiveness is identified as déficient. 

If the design of certain Controls was assessed as a significant deficiency or 
a material weakness, there would be no need to test those Controls until they 
were remediated. If major remediations in a Controls area are planned, then 
it is often best to await the redesign of the whole section before performing 
Controls tests, since processes and Controls often interact. 

In this case, a number of control objectives and risks do not seem to be 
met with the Controls and procedures that are in place. These risks would be 
assessed as to severity; if determined to be significant deficiencies or material 
weaknesses, they may be scheduled for some sort of remediation. It is often 
a good idea to consider reviewing any already processed accounting data that 
might contain errors based on the identified Controls deficiency. 

In this spécifie case, the cash management might be limited to a deficiency 
if the magnitude of the dollars exposed to the deficiency (e.g., loose change) 
is low. If significant cash dollars are potentially involved, the “could” factor 
might resuit in assessing this deficiency as at least a significant deficiency. In 
the case of the donor records, in combination with the ségrégation of duties 
issue, it appears that significant dollars are involved and that the design 
deficiency might likely be classified as a material weakness. This could be 
remediated in part by ensuring the donor records are reconciled with the state- 
ments sent, and by having the treasurer perform the co nfi rm a tions of balances 
and oversee the issuance of ail the account statements for tax purposes. 

The risk of fraud here is that the bookkeeper could divert finds to a personal 
account (the reader should note in the narrative the personal business of the 


CONTROLS DESIGN ASSESSMENT— CASH RECEIPTS 


221 


bookkeeper with the initiais “CCS”) and, by remembering the accounts from 
which the skimmed donations were taken, could send out confirmations that 
would agréé with what the contributor thinks he or she contributed, but do 
not agréé with the underlying organization records. Such a fraud might be 
hard for donors or auditors to detect unless the donor confirmation forms 
were reconciled to the underlying records. 



Part 1 

Narrative of Controls Design 


Community Central Services (CCS) is a nonprofit service entity with approx- 
imate annual total receipts of $600,000. There are several million dollars of 
investments that also contribute to the cash flow of the entity, small rental 
receipts from organizations that use the CCS facilities for meetings, and 
some significant cash receipts ($10,000 to $20,000 per event) from periodic 
fund-raising events. Recent changes to the accounting System hâve tightened 
Controls over cash receipts and disbursements. Starting this year, the dedicated 
funds and spécial funds (e.g., youth services fund, community beautification 
fund) formerly kept as separate accounts and managed by other groups of 
volunteers hâve been Consolidated into the CCS accounting System. 

Receipts are from weekly cash donations (from a locked box) and from 
pledges by community benefactors who may write weekly, monthly, or annual 
checks, or make cash contributions to fulfill their pledges. An account num- 
ber is provided to each person making a pledge or requesting a statement 
or receipt so that the contribution records can reflect the spécifie donor’s 
contribution. 

To save money, the entity stopped engaging a local CPA firm to do an 
annual audit several years ago. The treasurer (a volunteer position) now 
ensures that bank réconciliations are performed and scans the check register 
monthly to ensure expenses seem appropriate in amount and vendor. 

A single bookkeeper performs most accounting functions, and a volun- 
teer board member has oversight responsibility. The entity’ s director has no 
accounting background but signs ail checks. The bookkeeper has no ability 
to sign checks. Checks above $2,000 must also be cosigned by the treasurer. 
An independent service organization processes the payroll from entity records 
and pay schedules maintained by the bookkeeper. 

Each weekend at least two volunteers together (a rotated assignment from 
a pool of volunteers) open the cash contribution box and together count the 


223 


224 


NARRATIVE OF CONTROLS DESIGN 


cash receipts. Sometimes checks are also dropped in the box, but these are not 
included in the count and are passed directly to the bookkeeper for inclusion 
in the next deposit. The bookkeeper does not hâve a key to the cash box. The 
total cash receipts are recorded on a slip of paper and are placed with the 
cash and checks in a locked closet from where the bookkeeper retrieves the 
slip and cash, writes out a deposit slip, and adds to that deposit slip any mail 
receipts from the first workday. The bookkeeper then deposits the money. 

A semiannual statement for each person wishing a tax statement for contri- 
butions is prepared by the bookkeeper from the various contribution account- 
ing records. There hâve been no reported discrepancies in the contribution 
records. 

After the retirement of the former bookkeeper, the new bookkeeper (a for- 
mer nurse and a part-time entrepreneur; she and husband operate the new 
Child Care Services centers in town) has continued to follow existing prac- 
tices. Despite her lack of formai accounting training, the new bookkeeper 
has had some previous work expérience in accounting for another nonprofit 
entity. 


Contribution to Cash Cycle 
Template — CCS 


225 


Application — Ail cash receipts could impair Completeness, Accuracy, 


I 



226 



227 



Part 2 

Contribution to Cash Cycle with 
Control Procedures — CCS 


229 



onor File Mainte- Failure to record Accuracy, Reconcilations are not performed. 

nance — Changes to properly could Completeness Statements sent twice yearly to donors 



231 


related programs is 



Part 3 

Contribution to Cash 
Cycle — Completed — CCS 


233 


Control Objective Potential Risks Assertions Control Procedures Assessment 

Cash Collection and Failure to collect ail Occurrence, Deposits made every Monday, Walk-through confirms 

Application — Ail cash receipts could Completeness, or more frequently if a large in-operation. See WP W-3. 

receipts are deposited impair entity Accuracy, Cutoff amount received during Control objective not 



234 


Control objective 


Financial Reporting and Failure to properly Accuracy, Long-established procedures Director and treasurer hâve 

Monitoring — Postings classify Classification, renormal transactions. limited accounting 






235 


Control Objective 



236 



237 



Index 


Accounting expertise 

auditor’s évaluation of, 38 
control deficiency, 37-39, 44, 
106, 140, 149-151 
Accounting manuals, 101, 153 
Accuracy assertions, 56, 57 
American Institute of Certified 
Public Accountants 
(AICPA) 

Achilles’ Heel ofFraud 
Prévention, 46, 129 
Assessing and Responding to 
Audit Risk in a Financial 
Statement, 80, 159 
Attestation Standards, AT 
501, 5, 14, 15, 25, 76, 139, 
146, 154 

Audit Sampling Guide, 123, 
125, 126 

Auditing Standards Board. See 
Auditing Standards Board 
and consistency of standards, 
10 

COSO guidance, 111 
CPA’ s Handbook ofFraud 
and Commercial Crime 
Prévention, 213-217 
independent auditor rules, 1 1 
Management Antifraud 

Programs and Controls, 45, 
193-218 

Management Override of 
Internai Controls, 46, 129 
publications, ordering, 18 
Statements of Auditing 
Standards (SAS). See 
Statements of Auditing 
Standards 

Understanding SAS No. 112 
and Evaluating Control 
Deficiencies, 159 
“As of ’ reporting requirement, 
15, 16, 146, 147, 158 
Assertions 
accuracy, 56, 57 
completeness, 56, 57, 105 
and deficiencies, 158, 159 
and development of control 
objectives, 84, 87 


effectiveness of Controls, 
116-118, 133, 134 
existence, 56, 57, 158 
financial statement, 56, 57, 
163, 167, 176 

and matrices, use of, 80-82 
occurrence, 105 
and sample size, 124 
transaction, 84, 85 
Assessment of Controls, 139, 

140. See also Monitoring; 
Testing of Controls 
Association of Certified Fraud 
Examiners (ACFE), fraud 
survey, 1-3, 114, 181 
Attestation Standard AT 501, 5, 
14, 15, 25, 76, 139, 146, 
154 

and fraud prévention, 

208-210 

independence, 36, 37 
and internai auditors, 212 
oversight function, 36, 
207-209, 213 
recommendations of Blue 
Ribbon Committee on 
Improving the Effectiveness 
of Corporate Audit 
Committees, 36, 37, 69, 70 
responsibilities, 210, 211 
and testing control 
environment, 121 
Auditing standards, 17, 18. See 
also Statements of Auditing 
Standards 

Auditing Standards Board, 3, 5. 
See also Statements of 
Auditing Standards 
Auditors 

accounting guidance, 38 
assisting clients with internai 
Controls, 24, 25, 73, 106, 
111, 151 

auditing standards, 3, 4 
control deficiencies, reporting 
to management, 4, 109, 

111, 139, 151 
and control environment, 
36-38 


control objectives, assessment 
of, 109 

coordinating with, 7 
cost considérations, 13, 14 
fraud détection, 183, 184 
fraud prévention, 211, 212 
implémentation of internai 
Controls, confirmation of, 
111, 112 

independence, 3, 4, 7, 11, 24, 
25, 36-38, 66, 67, 106, 

111, 151, 212 
private businesses, 1 1 
and project plan development, 
24, 25 

reporting significant findings 
to, 66, 67 

testing of Controls. See 
Testing of Controls 
understanding of internai 
Controls, 109, 110 
Automated Controls 
auditor reliance on, 158 
consistency of, 138 
control activities, 60, 66 
deficiencies, 145, 155, 156, 
158, 172 

ITGC Controls, 158, 172 
and monitoring, 65 
reliance on other Controls, 145 
and testing Controls, 66, 121, 
122 


Balance sheet 

and “as of’ reporting date, 15, 
16, 146 

assertions, 56, 57 
and business processes, 
identifying, 47 
mapping entity to financial 
statements, 102 
Blue Ribbon Committee on 

Improving the Effectiveness 
of Corporate Audit 
Committees, 36, 37, 69, 70 
Board of directors 
ethics policies, 34 
fraud prévention, 208-210 
independence, 36, 37 


239 


240 


INDEX 


Board of directors ( continued ) 
not-for-profit organizations, 2, 
36 

responsibilities, 18 
and risk assessment, 32 
Budgets, 23, 24, 50 
Business characteristics, 148, 

149 

Business processes, 4, 40, 47-52 

Canada, Guidance on Control, 

18 

Cash disbursements 
approval procedures, 50 
and business processes, 
identifying, 47 
control objectives, 52, 54, 
86-89 

and fraud, 185 
management overrides, 22 
monitoring, 67 
narrative description, 51 
as pilot project, 20, 21 
severity of deficiencies, 67 
software, control features of, 
60 

Certified fraud examiners 

(CFEs), 120, 121, 179, 213 
Chief financial officer (CFO), 

19, 20, 210 

Chief information officer (CIO), 
20 

Close process, 51, 97, 106 
Commitments and contingencies, 
control objectives, 93, 94 
Committee of Sponsoring 

Organizations (COSO), 6, 9 
Framework. See COSO 
Framework 

Guidance for Smaller Public 
Companies, 75 
Internai Controls over 
Financial Reporting — 
Guidance for Smaller 
Public Companies, 18 
reports, obtaining, 18 
templates for Controls 
documentation, 75 
Communication. See 
Information and 
communication 
Compensation, 33, 38, 39 
Competency in accounting and 
financial reporting, 35, 
37-39, 44, 140, 149-151 
Completeness assertions, 56, 57, 
105 

Consultants 
availability of, 10, 11 


and project plan development, 
19, 24, 25 

software sélection, 76 
as source of control 
objectives, 55 
testing Controls, 113 
use of, 110 

Consumer privacy, 187 
Contingencies, 93, 94, 141 
Control activities 
assertions, use of, 55-57 
business processes, 
identifying, 47-51 
as component of COSO 
Framework, 19, 28, 46 
control objectives, 52, 53, 55 
deficiencies, 151. See also 
Control deficiencies 
documentation, 51, 52, 153 
and pilot project, 20 
procedures manual, 153 
and risk assessment, 40, 
53-55, 81 

Control attributes, 53, 54. See 
also Control objectives 
Control deficiencies 
accounting expertise, 37-39, 
44, 106, 149-151 
aggregating, 158, 159 
and “as of’ reporting date, 15, 
16, 146, 147, 158 
assessment of, factors 
effecting, 143-149 
automated Controls, 138, 145, 
155, 156 

compétence, lack of, 35, 
37-39, 44, 106, 149-151 
control design, 22, 109, 
137-140, 143, 144 
Controls performance, 154 
correcting, 16 
design deficiencies, 22, 
137-140, 143, 144, 152 
documentation, 72, 138, 151, 
153, 154 

examples of, 149-154 
exceptions. See Exceptions 
framework for evaluating, 

142, 143, 160-178 
identifying, 21, 38, 138, 151 
information technology, 61 
ITGC Controls, 122, 146, 147, 
157, 158 

level of control, 144, 145 
magnitude of, 10 
manual Controls, 154, 155 
material weakness. See 
Material weakness 
misstatements, 147, 148 
monitoring process, 66, 67 


objectives and timing of 
Controls, 145-147 
operations, 22, 116, 151, 152 
overall assessment, 158, 159 
pilot project findings, 21 
reporting to management, 4, 
109, 111, 139, 151 
risk environment, 148, 149 
severity of, 21, 35, 67, 
138-149, 154-158 
significant deficiencies, 4, 

106, 139-142, 151, 158, 
159, 175 

software tools, 79 
Control design 

assessment case study, 
219-237 

auditor assessment of, 109 
automated Controls, 121, 122, 
138 

and Controls assessment, 137, 
138 

deficiencies, 22, 137-140, 

143, 144, 152 
and fraud, 139 
need for documenting 
Controls, 110, 111 
Control environment 
accounting compétence, 

37-39, 44 

and assessment of control 
deficiencies, 145 
auditor independence. See 
Auditors 

as component of COSO 
Framework, 19, 28 
difficulty assessing, 32-34 
ethics, 34-36 

and fraud, 194. See also Fraud 
and human resources, 38, 39, 
71 

management style, 34, 35, 39 
and procedures manual, 153 
as project priority, 22 
testing of Controls, 120, 121 
Control objectives 

and assessment of control 
deficiencies, 145-147 
auditor responsibilities, 109 
Control Objectives for 
Information Technology 
(COBIT), 60 
and Controls design, 1 10 
and COSO Framework, 52-54 
customizing, 83-85 
and design deficiencies, 137 
examples, 54, 86-98 
govemment entities, 55 
matrix, use of, 80 
pilot project, 21 


INDEX 


241 


and risk assessment, 53, 54 
sources of, 55 
understanding, 12-16 
and use of spreadsheet 
templates, 75 
Control Objectives for 

Information Technology 
(COBIT), 60 

Controls framework, need for, 
16, 17. See also COSO 
Framework 
COSO Framework 

1992 report, 6, 17, 18, 21, 29, 
31, 38, 52, 54, 60, 75, 80, 
81, 86, 111 

2006 report, 18, 21, 53, 54, 
60, 75, 80, 81, 86, 111 
components of, 18, 19, 27-29 
control activities, 19, 28. See 
also Control activities 
control environment, 19, 28. 
See also Control 

control objectives, 52, 53. See 
also Control objectives 
deficiencies. See Control 
deficiencies 

diagrams, use of, 29-32 
fraud, 193 
information and 

communication, 19, 28, 
57-59 

Internai Control — Integrated 
Framework, 17 
internai control components, 
144 

internai control defined, 18, 

19 

monitoring, 19, 28. See also 
Monitoring 

overview, 18, 19, 27-29 
risk assessment, 19, 28. See 
also Risk assessment 
use of, 17 
Costs 

auditor considérations, 13, 

14 

benefits of documentation, 

153 

implémentation of internai 
Controls, 1, 4, 5, 25 
management of, 6, 7 
Cutoff assertion, 56, 57, 84 

Disaster planning, 64 
Documentation 

assertions, use of, 55 
auditor guidance, 73 
benefits of, 73, 74, 153 


business processes, 47-51 
checklists, 71 
close process, 106 
Controls and procedures, 3, 4 
cost management, 6, 7 
deficiencies, detecting, 138 
expansion of, 101, 102 
flowcharts, 71 

importance of in momtormg, 
66 

in-house, advantages of, 110, 
111 

inadéquate, 151, 153, 154 
information gathering, 82, 83 
matrices, 71, 80-83 
methods of documenting, 71 
minimum requirements, 112, 
113 

and monitoring, 72 
narratives, 51, 52, 71 
objectives as starting point, 99 
procedures manuals, 71 
purpose of, 71, 72 
scope of, determining, 99-107 
software for, 75-77 
spreadsheets, use of, 74, 75 
templates, use of, 74, 102, 103 

Effectiveness of Controls 

assertions, 116-118, 133, 134 
assurance level, 117, 118 
design effectiveness. See 
Control design 
overall assessment, 158, 159 
testing. See Testing of 
Controls 

Employées and fraud prévention, 
202-205. See also Fraud 
Ethics 

CPA ’s Handbook of Fraud 
and Commercial Crime 
Prévention, code of 
conduct, 213-217 
ethical environment, 34-36 
FEI Code of Ethics Statement, 
217, 218 

and fraud prévention, 

200-202 

Excel spreadsheets, 58, 74, 79 
Exceptions 
defined, 140, 141 
framework for evaluating, 
160-178 

and severity of deficiencies, 
139. See also Control 
deficiencies 
unexpected, 154, 155 
Existence assertions, 56, 57, 

158 


Fédéral Accounting Standards 
Advisory Board (FASAB), 
43 

Financial Accounting Standards 
Board (FASB), 43 
FAS No. 5, Accounting for 
Contingencies, 141 
Financial Executives 

International (FEI), Code of 
Ethics Statement, 217, 218 
Financial reporting 

Auditing Standard No. 2, An 
Audit of Internai Control 
over Financial Reporting 
Performed in t^onjuncnon 
with an Audit of Financial 
Statements, 2, 5, 25, 99, 

138, 140-142, 160-162, 
164, 165, 167-169, 
171-175, 177 

communications, rôle of, 58 
competency in accounting and 
financial reporting, 35, 
37-39, 44 
Controls design and 
implémentation scénario, 

13, 14 

Controls documentation, 71, 

72. See also Documentation 
deficiencies, 140, 149-151 
Internai Controls over 
Financial Reporting — 
Guidance for Smaller 
Public Companies, 18 
not-for-profit organizations, 

41 

risk assessment, 40, 41 
software, 58 
Financial statements 

assertions, 56, 57, 163, 167, 
176 

mapping entity to, 102, 103 
préparation of, 106 
sample, 48, 49 
scope of documentation, 
100-103 
Fixed assets 

risk assessment, 104 
sample control objectives, 91, 
92 

Focus groups, 120, 128, 130, 

131 

A Framework for Evaluating 
Control Exceptions and 
Deficiencies, 143, 160-178 
Fraud 

antifraud programs and 
Controls, 192-218 
and control deficiencies, 148, 
149, 157 


242 


INDEX 


Fraud ( continuel i) 

Controls, 45, 46 
defining, 179 
detecting, 183, 184 
discipline, 205, 206 
employée training, 204, 205 
equipment, 186, 187 
examples of, 188-192 
extemal, 180 

by family members, 180, 181 
fraud triangle, 114, 115, 182, 
183 

govemment entities, 3, 179 
hotlines, use of, 182 
and identity theft, 186, 187 
and importance of testing 
Controls, 109, 110 
and ineffective Controls 
design, 139 
intent, 179 
internai, 180 

inventory schemes, 186, 187 
and material misstatement, 
179, 183, 197 
motivation, 114, 182, 183 
not-for-profit organizations, 2, 
3, 40, 41, 139, 179 
opportunity, 114, 182 
payroll schemes, 185, 186 
prévention, 187, 188 
purchasing and cash 

disbursement schemes, 185 
rationalization, 114, 115, 183 
reasons for, 35 
recoveries, 181 
response to, 181, 182 
risk, identifying and 
measuring, 206, 207 
risk, mitigating, 207 
risk assessment, 53, 54 
risk management, 44-46 
sales and cash receipts 
schemes, 184, 185 
small businesses, 179 
statistics, 1-3, 181 
suspicion of, 135 
and workplace environment, 
202, 203 

Generally Accepted Accounting 
Principles (GAAP) 
and control deficiencies, 140 
disclosure of significant 
financial risks, 40 
industry practices, 43 
and risk assessment, 43, 44 
Govemment Accountability 
Office (GAO), Financial 
Auditing Manual, 55 


Govemment entities 

accounting principles, 43 
control objectives, 55 
county budget, sample, 50 
documentation, 72 
fraud, 3, 148, 149, 179 
need for internai Controls, 3 
reporting on internai Controls, 
154 

Govemmental Accounting 

Standards Board (GASB), 
43 

Human resources (HR) 

and control environment, 38, 
39 

procedure manuals, 71 

Identity theft, 186, 187 
Income statement assertions, 56 
Information and communication 
as component of COSO 
Framework, 19, 28, 57, 58 
financial reporting, 58 
flow of information, 58, 59 
and information technology. 
See Information technology 
(IT) 

Information Systems Audit and 
Control Association, 60 
Information technology (IT) 
access and security Controls, 
61, 123, 157, 158 
backups, 64 
change Controls, 62 
control components, 61-64 
and COSO Framework, 28, 
29, 60, 61 

general Controls, 121-123, 

146, 147, 157, 158 
operations, 63, 64 
passwords, 28, 61, 122, 129, 

148, 157, 186 
as project priority, 22 
risk assessment, 41, 42, 64 
Systems development, 62, 63 
Information technology general 
Controls (ITGC), 121-123 
“as of ’ date for reporting on 
internai Controls, 146, 147 
deficiencies, 122, 146, 147, 
157, 158 

evaluating deficiencies, 
169-172 

material weaknesses, 146, 

147, 157, 158, 169-172 
Institute of Internai Auditors 

(IIA), Standards for the 
Professional Practice of 
Internai Auditing, 211 


Internai Revenue Service (1RS) 
documentation 
govemment entities, 72 
not-for-profit organizations, 
72, 153 

International Fédération of 
Accountants (IFA), 76 
International Standards of 
Auditing 

and COSO Framework, 18 
ISA, 315, 28, 76 
ISA, 330, 28, 76 
Interviews 

conducting, 128-135 
focus groups, 120, 128, 130, 
131 

testing control environment, 

120, 121 

TT Control Objectives for 
Sarbanes Oxley, 60 
IT Govemance Institute, 60 

Management 

and fraud prévention, 210, 

MBWA (Management By 
Walking Around), 113, 115 
monitoring activities, 

113-116 

overriding internai Controls, 
22, 46, 129 
reports, 58, 59 
responsibility for 
documentation, 111 
Material misstatement 
and fraud, 179, 183, 197 
and ITGC deficiencies, 147 
likelihood of, 117, 147, 148, 
155, 168, 174, 177 
and material weakness, 167, 
174, 177 

potential for, notifying 
management of, 66 
and purpose of control 
objectives, 54 
and risk assessment, 104, 

106 

and severity of deficiency, 67 
Material weakness 

accounting expertise, 149, 151 
aggregated significant 
deficiencies, 158, 159, 175 
communicating to 

management, 4, 109, 139, 
149, 151 

defined, 140-142 
and effectiveness of Controls, 
46 

financial reporting, 106 


INDEX 


243 


information technology 
general Controls, 146, 147, 
157, 158, 169-172 
lack of documentation, 72 
overall assessment, 158, 159 
and severity of deficiencies, 
67, 139, 140, 146, 155, 156 
software tools, 79 
Matrices, use of, 71, 80-83, 86, 
187 

Contribution to Cash 
Evaluation Matrix — 
Completed, 220, 234-237 
Contribution to Cash 
Evaluation Matrix — 
Template, 219, 226, 227 
Contribution to Cash 
Evaluation Matrix — with 
Control Procedures, 219, 
230, 231 
Monitoring 

as component of COSO 
Framework, 19, 28, 64, 113 
Controls, evidence of, 67, 68 
Controls and processes, 65 
and design deficiencies, 137 
documentation, need for, 72 
evidence of, 154 
and fraud prévention, 105, 
207, 208 

and information and 
purpose of, 66 

significant findings, informing 
independent auditors of, 66 
small businesses, 65, 66 
software, 64, 65 
and testing of Controls, 
113-116 

Not-for-profit organizations 
accounting standards, 43-44 
board members, sélection of, 
36 

and competency in financial 
reporting, 35 

control matrices, use of, 82 
documentation, need for, 72 
and financial reporting risks, 
41 

financial statement, sample, 

48, 49 

and fraud, 40, 41, 139, 
179-192 

1RS scrutiny, 72, 153 
need for internai Controls, 2-3 
and Sarbanes-Oxley Controls, 
74 

scandais, 2, 40 


software considérations, 
76-80 

as target for fraud, 148, 149 
testing Controls, 109-123 
whistleblower protection, 182 

Occurrence assertions, 105 
Operations 

control deficiencies, 22, 116, 
151, 152 

information technology 
Controls, 63, 64 
Outsourced functions, 20, 82 


Passwords, 28, 61, 122, 129, 

148, 157, 186 
Payroll 

as pilot project, 20, 21 
sample control objectives, 90, 
91 

Periodic close 

as business process, 51 
documentation, 106 
sample control objectives, 97 
Pilot project 
control objectives, 53 
preliminary team, 19-22 
selecting area for, 20 
use of, 21 
Private businesses 
accounting principles, 43, 44 
AICPA guidance, 143 
auditor assistance, 111 
benefits of documentation, 10, 
11 

factors to consider, 11, 12 
importance of effective 
control design, 139 
independent auditor rules, 1 1 
need for internai Controls, 2, 3 
Procedures manual, 71, 73, 153 
Procrastination, 9, 10 
Project plan, 23-25 
Project team, 19-22 
Public Company Accounting 
Oversight Board (PCAOB) 
Auditing Standard No. 2, An 
Audit of Internai Control 
over Financial Reporting 
Performed tn Conjuncnon 
with an Audit of Financial 
Statements, 2, 5, 25, 99, 
138, 140-142, 160-162, 
164, 165, 167-169, 
171-175, 177 

Auditing Standard No. 5, 5, 
11, 14, 15, 25, 142 
and consistency of standards, 
10 


and costs of implementing 
requirements, 4, 5 

Reasonable person test, 141, 

148, 155, 158 

Reliance on Controls, 14-16, 22, 
113, 122, 146 

Remote likelihood, 141, 142, 
165, 174, 177, 178 
Report to the Nation on 

Occupational Fraud and 
Abuse (2006), 1-3, 114, 

181 

Reporting on internai Controls 
“as of’ date, 15, 16, 146, 147, 
158 

and Attestation Standard, 501, 
25 

and auditor understanding of 
internai Controls, 111 
design, implémentation, and 
effectiveness, 14, 15 
formats and tools for, 74-80 
govemment entities, 154 
and identifying business 
processes, 47 

and information technology, 
60 

and need for interviews and 
surveys, 133, 134 
and risk assessment, 99 
Sarbanes-Oxley requirements, 
4, 11, 74, 143 

and scope of documentation, 
99, 101 

and scope of project, 23 
time period, 15 
Resources, 10, 11, 23, 24 
Revenues 

control objectives, 86-88 
and identifying business 
processes, 47 

revenue cycle as pilot project, 
20 

and scope of documentation, 
100-103 
Risk assessment 
accounting principles, 43, 44 
and auditor understanding of 
internai Controls, 109, 110 
business process, 40, 41 
as component of COSO 
Framework, 19, 28 
continuing, 106, 107 
control activities, 40, 53-55 
économie risk, 42, 43 
financial reporting risks, 40, 

41 


fraud, 44-46 


244 


INDEX 


Risk assessment ( continued ) 
income overstatement and 
understatement, 105 
information technology, 41, 
42, 64 

and project scope, 23, 24 
resources, identifying, 24 
and scope of documentation, 
101, 104, 105 
and severity of control 
deficiencies, 148, 149 
worksheet, 81 

Sampling 

AICPA Audit Sampling guide, 
123 

assurance level, 117, 118 
information technology 
general Controls (ITGC), 
122, 123 

principles of, 116, 117 
sample size tutorial, 124-127 
sample sizes, setting, 

118-120, 134 

Sarbanes-Oxley Act of, 2002 
(SOX) 

and “as of’ reporting, 15, 16. 
See also “As of ’ reporting 
requirement 

and consolidation of business 
processes and Controls, 50 
and COSO Framework, 16, 

27, 74. See also COSO 
Framework 

costs of implémentation, 4, 5 
and information technology, 
60 

réluctance to comply with, 10 
reporting requirements, 4, 11, 
74, 143 

and severity of deficiencies, 
143 

software for documentation 
compliance, 76, 78 
SEC v. Livent , 157 
Securities and Exchange 
Commission (SEC) 
and COSO Framework, 18 
and costs of implementing 
requirements, 4, 5 
independent director rules, 36 
Self-assessment, 12 
Significant deficiencies, 3, 4, 72, 
79, 106, 109, 139-142, 

145, 146, 151, 155, 158 
aggregated, 158, 159, 175, 

177 

Six-step approach, 12 


Small businesses 

accounting expertise, 149, 151 
accounting principles, 44 
control objectives, 54 
monitoring fonction and 
control activities, 65, 113, 
115, 116 

public companies, 18, 75 
Software 

access and security, 157, 158. 

See also Passwords 
availability of, 10 
Controls documentation, 

74-76 

Controls embedded in, 121 
and financial reporting, 58 
legacy Systems and upgrading, 
62 

limitations of, 11, 12 
and monitoring fonction, 64, 
65 

MS Project, 24 
and new Systems 
development, 62, 63 
project plan management, 24 
sélection criteria, 25, 76-80 
Systems development, 62, 63 
SOX. See Sarbanes-Oxley Act 
of 2002 (SOX) 

Spreadsheets 
Excel, 58, 74, 79 
problems with, 58 
templates for documenting 
Controls, 74, 75 
use of in determining scope of 
documentation, 102, 103 
Statements of Auditing 
Standards 

SAS No. 39, Audit Sampling, 
124 

SAS No. 55, Considération of 
Internai Control in a 
Financial Statement Audit, 
27, 28, 179 

SAS No. 99, Considération of 
Fraud in a Financial 
Statement Audit, 44, 45, 

182, 192, 193 
SAS No. 103, Audit 
Documentation, 73 
SAS No. 109, Understanding 
the Entity, 73, 76 
SAS No. 111, amendment to 
Audit Sampling, 124 
SAS No. 112, Communicating 
Internai Control Related 
Matters Identified in an 
Audit, 38, 106, 111, 149 


Statements of Financial 
Accounting Standards 
SFAS No. 90, Regulated 
Enterprises — Accounting 
for Abandonments and 
Disallowances of Plant 
Costs, 44 

SFAS No. 93, Récognition of 
Dépréciation by 
Not-for-Profit Entities, 44 
Stock options, 16, 33, 35, 94 
Surveys, 120, 121 

Templates, use of, 58, 74, 75, 
79, 102, 103 
Testing of Controls 

auditor considérations, 15 
auditor understanding of 
internai Controls, 109, 110 
automated Controls, 121, 122 
control environment, 120, 121 
and Controls design, 110, 111 

deficiencies, detecting, 138 
documentation, 112, 113 
effectiveness, 14, 116 
implémentation of Controls, 
confirmation of, 111, 112 
information technology 
general Controls, 121-123 
infrequently operating 
Controls, 119, 120 
and monitoring activities, 
113-116 

and potential magnitude of 
misstatement, 147, 148 
rehance. See Reliance on 
Controls 

sampling, 116-120, 126. See 
also Sampling 
unexpected results, 106 
Treadway Commission, 17. See 
also Committee of 
Sponsoring Orgamzations 
(COSO) 

United Kingdom, Turnbull 
Report, 18 

Valuation assertions, 56, 57 

Walk-throughs, 112, 121, 122 
Whistle-blower protection, 182 
Word templates, 74, 75, 79, 86 


